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1. INTRODUCTION 



Optimization techniques, in the case of logic-based languages, fall into two main 
categories: on one hand, there exist methods for compile-time and low-level opti- 
mizations such as the ones presented for constraint logic programs by [J0rgensen 
et al. 1991], which are usually based on program analysis methodologies (e.g. ab- 
stract interpretation). On the other hand, we find source to source transformation 
techniques such as partial evaluation [Mogensen and Sestoft 1997] and more general 
techniques based on the unfold and fold or on the replacement operation. 

Unfold/fold transformation techniques were first introduced for functional pro- 
grams in [Burstall and Darlington 1977], and then adapted to logic programming 
(LP) both for program synthesis [Clark and Sickel 1977; Hogger 1981], and for pro- 
gram specialization and optimization [Komorowski 1982]. Tamaki and Sato [1984] 
proposed a general framework for the unfold/fold transformation of logic programs, 
which has remained in the years the main historical reference of the field, and has 
later been extended to constraint logic programming (CLP) in [Maher 1993; Etalle 
and Gabbrielli 1996; Bensaou and Guessarian 1998] (for an overview of the subject, 
see the survey by Pettorossi and Proietti [1994]). As shown by a number of appli- 
cations, these techniques provide a powerful methodology for the development and 
optimization of large programs, and can be regarded as the basic transformations 
techniques, which might be further adapted to be used for partial evaluation. 

Despite a large literature in the field of declarative sequential languages, un- 
fold/fold transformation sequences have hardly been applied to concurrent lan- 
guages. Notable exceptions are the papers of Ueda and Fukurawa [1988], Sahlin 
[1995], and of de Francesco and Santone [1996] (their relations with this paper are 
discussed in Section 7) . Also when considering partial evaluation we find only very 
few recent attempts [Hosoya et al. 1996; Marinescu and Goldberg 1997; Gengler 
and Martel 1997] to apply it in the field of concurrent languages. 

This situation is partially due to the fact that the non-determinism and the 
synchronization mechanisms present in concurrent languages substantially compli- 
cate their semantics, thus complicating also the definition of correct transformation 
systems. Nevertheless these transformation techniques can be very useful also for 
concurrent languages, since they allow further optimizations related to the simpli- 
fication of synchronization and communication mechanisms. 

In this paper we introduce a transformation system for concurrent constraint 
programming (CCP) [Saraswat 1989; Saraswat and Rinard 1990; Saraswat et al. 
1991]. This paradigm derives from replacing the store- as-valuation concept of von 
Neumann computing by the store- as- constraint model: Its computational model 
is based on a global store, which consists of the conjunction of all constraints es- 
tablished until that moment and expresses some partial information on the values 
of the variables involved in the computation. Concurrent processes synchronize 
and communicate asynchronously via the store by using elementary actions (ask 
and tell) which can be expressed in a logical form (essentially implication and con- 
junction [Boer et al. 1997]). On one hand, CCP enjoys a clean logical semantics, 
avoiding many of the complications arising in the concurrent imperative setting; 
as argued in the position paper [Etalle and Gabbrieli 1998] this aspect is of great 
help in the development of effective transformation tools. On the other hand, 
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differently from the case of other theoretical models for concurrency (e.g. the tt- 
calculus), there exist "real" implementations of concurrent constraint languages 
(notably, the Oz language [Smolka 1995] and the related ongoing Mozart project 
http://www.mozart-oz.org/); thus, in contrast to other models for concurrency, 
in this framework transformation techniques can be readily applied to practical 
problems. 

The transformation system we are going to introduce is originally inspired by 
the system of Tamaki and Sato [1984]. Compared to its predecessors, it improves 
in three ways: Firstly, we managed to eliminate the limitation that in a folding 
operation the folding clause has to be non-recursive, a limitation which is present 
in many other unfold/fold transformation systems, this improvement possibly leads 
to the use of new more sophisticated transformation strategies. Secondly, the appli- 
cability conditions we propose for the folding operation are now independent from 
the transformation history, making the operation much easier to understand and 
to implement. In fact, following [Francesco and Santone 1996], our applicability 
conditions are based on the notion of "guardedness" and can be checked locally 
on the program to be folded. Finally, we introduced several new transformation 
operations. It is also worth mentioning that the declarative nature of CCP allows 
us to define reasonably simple applicability conditions which ensure the correctness 
of our system. 

We will illustrate with a practical example how our transformation system for 
CCP can be even more useful than its predecessors for sequential logic languages. 
Indeed, in addition to the usual benefits, in this context the transformations can also 
lead to the elimination of communication channels and of synchronization points, to 
the transformation of non-deterministic computations into deterministic ones, and 
to the crucial saving of computational space. These improvements were possible 
already in the context of GHC programs by using the system defined in [Ucda and 
Furukawa 1988]. 

Our results show that the original and the transformed program have the same 
input/output semantics in a rather strong sense, which distinguishes successful, 
deadlocked and failed derivations. As a corollary, we obtain that the original pro- 
gram is deadlock free iff the transformed one is and this allows us to employ the 
transformation system as an effective tool for proving deadlock-freeness: if, after 
the transformation, we can prove or see that the process we are considering never 
deadlocks (in some cases the transformation simplifies the program's behavior so 
that this can be immediately checked), then we are also sure that the original pro- 
cess does not deadlock either. We also consider non-terminating computations by 
proving three further correctness results. The first one shows that the intermediate 
results of (possibly non-terminating) computations are preserved up to logical im- 
plication, while the second one ensures full preservation of (traces of) intermediate 
results, provided we slightly restrict the applicability conditions for our transforma- 
tions. The third result shows that this restricted transformation system preserves 
a certain kind of infinite computations (active ones). We discuss the extension of 
this result to the general case, claiming that our system does not introduce any 
new infinite computation. 

This paper is organized as follows: in the next section we present the notation and 
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the necessary preliminary definitions, most of them regarding the CCP paradigm. 
In Section 3 we define the transformation system, which consists of various different 
operations (for this reason the section is divided in a number of subsections) . We 
wiU also use a working example to illustrate the application of our methodology. 
Section 4 states the first main result, concerning the correctness of the transforma- 
tion system, while Section 5 contains the results for non-terminating computations. 
Further examples are contained in Section 6. Section 7 compares this paper to 
related work in the literature and Section 8 concludes. For the sake of readability 
we include in this paper only proof sketches of several results, the (rather long) 
technical details being deferred to the (on-line only) Appendix. 

A prehminary version of this paper appeared in [Etalle et al. 1998]. 

2. PRELIMINARIES 

The basic idea underlying the CCP paradigm is that computation progresses via 
monotonic accumulation of information in a global store. The information is pro- 
duced (in form of constraints) by the concurrent and asynchronous activity of sev- 
eral agents which can add a constraint c to the store by performing the basic action 
tell(c). Dually, agents can also check whether a constraint c is entailed by the store 
by using an ask(c) action. This allows the synchronization of different agents. 

Concurrent constraint languages are defined parametrically with respect to the 
notion of constraint system, which is usually formalized in an abstract way follow- 
ing the guidelines of Scott's treatment of information systems (see [Saraswat and 
Rinard 1990]). Here, we consider a more concrete notion of constraint which is 
based on first-order logic and which coincides with the one used for constraint logic 
programming (e.g. see [Jaffar and Maher 1994]). This will allow us to define the 
transformation operations in a more comprehensible way, while retaining a suffi- 
cient expressive power. We could equally well define the transformations in terms 
of the abstract notion of constraint system given in [Saraswat and Rinard 1990]^. 

Thus, assume given a signature S defining a set of function and predicate symbols 
and associating an arity with each symbol. A constraint c is a first-order S-formula 
built by using symbols of S, variables from a given (countable) set V and the log- 
ical connectives and quantifiers (A, V, ->, 3) in the usual way. The interpretation 
for the symbols in S is provided by a S-structure T> consisting of a set D and an 
assignment of functions and relations on D to the symbols in S which respect the 
arities. So, V defines the computational domain on which constraints are inter- 
preted. Usually, in order to model parameter passing, S is assumed to contain the 
binary predicate symbol ~ which is interpreted as the identity in V. We will follow 
this assumption, which allows us to avoid the use of most general unifiers (indeed, 
for many computation domains V the most general unifier of two terms does not 
exist). 

The formula T> \^ c states that c is valid in the interpretation provided by 2?, i.e. 
that it is true for every valuation of the free variables of c. The empty conjunction 
of primitive constraints will be identified with true. We also denote by Var{e) the 
set of free variables occurring in the expression e. 



^To this aim, essentially we should replace equations of the form X = Y for diagonal elements 

dxY- 
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In the sequel, constraints will be considered up to equivalence in the domain P, 
i.e. we write Ci = C2 in case P |= ci ^^ C2. Terms will be denoted by t,s, . . ., 
variables with X, Y, Z, ..., further, as a notational convention, t and X denote a 
tuple of terms and a tuple of distinct variables, respectively. 3_j^ c stands for the 
existential closure of c except for the variables in X which remain unquantified. 
We also assume that the reader is acquainted with the notion of substitution and 
of most general unifier (see [Lloyd 1987]). We denote by ea the result application 
of a substitution a to an expression e. Given a substitution a, the domain of cr, 
Dom{a), is the finite set of variables {X | Xa ^ X}, the range of a is defined as 
Ran{a) ^ UxeDom(^) Vor(Xa). 

The notation and the semantics of programs and agents is virtually the same 
one of [Saraswat and Rinard 1990]. In particular, the || operator allows one to 
express parallel composition of two agents and it is usually described in terms of 
interleaving, while non-determinism arises by introducing a (global) choice operator 
^|Liask(ci) -^ Aj: the agent X^ILi ^^'^('-O ^ ^i nondeterministically selects one 
ask(cj) which is enabled in the current store, and then behaves like Aj. Thus, the 
syntax of CCP declarations and agents is given by the following grammar: 

Declarations D::= e|p(t)^A|D,D 

Agents A ::= stop | tell(c) | Y.'\=i ask(ci) ^ A; |A |1 A | p(t) 

Processes Proc ::= D.A 

where c and Cj's are constraints. Note that here we allow terms both as formal and 
actual parameters. 

Usually this is not the case, since the procedure call p(t) can be equivalently 
written as p(X) || tell(X = t), while the declaration p(t) ^ A is equivalent to 
p(X) ^ A II tell(X = t). We make this assumption only because this simplifies the 
writing of programs in the examples. 

Due to the presence of an explicit choice operator, as usual we assume (without 
loss of generality) that each predicate symbol is defined by exactly one declaration. 
A program is a set of declarations. In the following examples we assume that the 
operator ^ binds tighter than || (so, ask(a) ^ A || ask(b) -^ B + ask(d) -^ C means 
(ask(c) -^ A) II (ask(b) ^ B + ask(d) -^ C)). In case some ambiguity arises we will 
use brackets to indicate the scope of the operators. 

An important aspect for which we slightly depart from the usual formalization 
of CCP regards the notion of locality. In [Saraswat and Rinard 1990] locality is 
obtained by using the operator 3, and the behavior of the agent 3x A is defined 
like the one of A, with the variable X considered as local to it. Here we do not 
use such an explicit operator: analogously to the standard CLP setting, locality is 
introduced implicitly by assuming that if a process is defined by p(t) ^ A and a 
variable Y occurs in A but not in t, then Y has to be considered local to A. 

The operational model of CCP is described by a transition system T = (Conf , -^) 
where configurations (in) Conf are pairs consisting of a process and a constraint 
(representing the common store), while the transition relation -^ C Conf x Conf 
is described by the (least relation satisfying the) rules R1-R4 of Table I which 
should be self-explanatory. Here and in the following we assume given a set D 
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Table I. The (standard) transition system. 

of declarations and we denote by defnD(p) the set of variants^ of the (unique) 
declaration in D for the predicate symbol p. Due to the presence of terms as 
arguments to predicates symbols, differently from the standard setting in rule R4 
parameter passing is performed by a tell action. We also assume the presence of a 
renaming mechanism that takes care of using fresh variables each time a declaration 
is considered^. 

We denote by — >* the reflexive-transitive closure of the relation -^ defined by 
the transition system, and we denote by Stop any agent which contains only stop 
and II constructs. A finite derivation (or computation) containing only satisfiable 
constraints is called successful if it is of the form (D.A,c) -^* (D.Stop,d) -/^ while 
it is called deadlocked if it is of the form (D.A, c) — >* (D.B,d) -/^ with B different 
from Stop (i.e., B contains at least one suspended agent). A derivation producing 
eventually false is called failed. Note that we consider here the so called "eventual 
tell" CCP, i.e. when adding constraints to the store (via tell operations) there 
is no consistency check. Our results could be adapted to the CCP language with 
consistency check ("atomic tell" CCP) by minor modifications of the transformation 
operations. 

3. THE TRANSFORMATION 

In order to illustrate the application of our method we will adopt a working example. 
We consider an auction problem in which two bidders participate: bidder_a and 
bidder_b; each bidder takes as input the list of the bids of the other one and produces 
as output the list of his own bids. When one of the two bidders wants to quit 
the auction, it produces in its own output stream the token quit. This protocol 
is implemented by the following program AUCTION. Here and in the following 
examples we do not make any assumption on the specific constraint domain being 
used, apart from the fact that it should allow us to use lists of elements. This 
is the case for most existing general purpose constraint languages, which usually 
incorporate also some arithmetic domain (see [Jaffar and Maher f994]). 

auction(LeftBids,RightBids) ^ bidder_a([0|RightBids],LeftBids) || bidder_b(LeftBids,RightBids) 



•^A variant of a declaration d is obtained by replacing the tuple X of all the variables appearing 
in d for another tuple Y. 

^For the sake of simplicity we do not describe this renaming mechanism in the transition system. 
The interested reader can find in [Saraswat and Rinard 1990; Saraswat et al. 1991] various formal 
approaches to this problem. 
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bidder_a(HisList, MyList) ^ 

ask(3HisBid,HisList' HisList = [HisBid|HisList'] A HisBid = quit) — » stop 
+ ask(3HisBid, HisList' HisList = [HisBid|HisList'] A HisBid 7^ quit) -^ 
(tell(HisList = [HisBid|HisList']) || 
make_new_bid_a(HisBid,l\/lyBid) || 

ask(l\/lyBid = quit) ^ (tell(l\/lyList = [MyBid|IVIyList']) || broadcast("a quits")) 
+ ask(MyBid / quit) -^ (tell(IVIyList = [IVIyBidjIVIyList']) || 
tell(MyBid / quit) || 
bidder_a(HisList', MyList'))) 

plus an analogous definition for bidder_b. 

Here, the agent make_new_bid_a(HisBid,MyBid) is in charge of producing a new offer 
in presence of the competitor's offer HisBid; the agent wiU produce MyBid — quit if 
it evaluates that HisBid is too high to be topped, and decides to leave the auction. 
This agent could be further specified by using arithmetic constraints. In order to 
avoid deadlock, auction initializes the auction by inserting a fictitious zero bid in 
the input of bidder a. Notice that in the above program the agent tell(HisList — 
[HisBidjHisList']) is needed to bind the local variables (HisBid, HisList') to the global 
one (HisList): In fact, as a result of the operational semantics, such a binding is 
not performed by the ask agent. On the contrary the agent tell(MyBid 7^ quit) 
is redundant: We have introduced it in order to slightly simplify the following 
transformations (the transformations remain possible also without such a tell). 
The introduction of redundant tail's is a transformation operation which will be 
formally defined in Subsection 3.4. 

3.1 Introduction of a new definition 

The introduction of a new definition is virtually always the first step of a trans- 
formation sequence. Since the new definition is going to be the main target of the 
transformation operation, this step will actually determine the very direction of the 
subsequent transformation, and thus the degree of its effectiveness. 

Determining which definitions should be introduced is a very difficult task which 
falls into the area of strategies. To give a simple example, if we wanted to apply 
partial evaluation to our program with respect to a given agent A (i.e. if we wanted 
to specialize our program so that it would execute the partially instantiated agent 
A in a more efficient way), then a good starting point would most likely be the 
introduction of the definition p(X) ^- A, where X is an appropriate tuple of variables 
and p is a new predicate symbol. A different strategy would probably determine 
the introduction of a different new definition. For a survey of the other possibilities 
we refer to [Pettorossi and Proictti 1994]. 

In this paper we are not concerned with the strategies, but only with the basic 
transformation operations and their correctness: we aim at defining a transforma- 
tion system which is general enough so to be applied in combination with different 
strategies. 

In order to simplify the terminology and the technicalities, we assume that these 
new declarations are added once for all to the original program before starting the 
transformation itself. Note that this is clearly not restrictive. As a notational con- 
vention we call Do the program obtained after the introduction of new definitions. 
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In the case of program AUCTION, we assume that the following new declarations 
are added to the original program. 

auctionJeft(LastBid) ♦- tell(LastBid 7^ quit) || bidder_a([LastBid|Bs],As) || bidder_b(As,Bs). 
auction_right(LastBid) ^ tell(LastBid 7^ quit) || bidder_a(Bs,As) || bidder_b([LastBid|As],Bs). 

The agent auctionJeft(LastBid) engages an auction starting from the bid LastBid 
(which cannot be quit) and expecting the bidder "a" to be the next one in the bid. 
The agent auction_right(LastBid) is symmetric. 

3.2 Unfolding 

The first transformation we consider is the unfolding. This operation consists essen- 
tially in the replacement of a procedure call by its definition. The syntax of CCP 
agents allows us to define it in a very simple way by using the notion of context. A 
context, denoted by C[ ], is simply an agent with a "hole" , where the hole can contain 
any expression of type agent. So, for example, [ ] || A and ask(c) -^ A-l-ask(b) -^ [ ] 
are contexts, while ask(a) ^ A + [ ] is not. C[A] denotes the agent obtained by 
replacing the hole in C[ ] for the agent A, in the obvious way. 

Definition 3.1 (Unfolding). Consider a set of declarations D containing 

d: H^C[p(t)] 
u : p(s) ^ B 

Then unfolding p(t) in d consists in replacing d by 

d' : H^C[B II tell(t = s)] 

in D. Here d is the unfolded definition and u is the unfolding one; d and u are 
assumed to be renamed so that they do not share variables. 

After an unfolding we often need to simplify some of the newly introduced tell's 
in order to "clean up" the resulting declarations. This is accomplished via a tell 
elimination. Recall that a most general unifier a of the terms t and s is called 
relevant if {Dom{a) U Ran{(7)) C yar(t,s). 

Definition 3.2 (Tell Elimination and Tell Introduction). The declaration 

d: H^C[tell(s = t) II B] 

can be transformed via a tell elimination into 

d' : H ^ C[Bcr] 

where cr is a relevant most general unifier of i and t, provided that the variables in 
the domain of a do not occur neither in C[ ] nor in H. This operation is applicable 
either when the computational domain V admits a most general unifier, or when s 
and t are sequences of distinct variables, in which case a is simply a renaming. On 
the other hand, the declaration 

d : H ^ C[Bcr] 

can be transformed via a tell introduction into 

d' : H^C[tell(X = Xcr) || B] 
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provided that cr is a substitution such that X = Dom{a) and Dom{(j) n ( yar(C[ ], H)U 
Ran{a)) = 0. 

Notice that, in particular, we can always exchange C[tell(true) || A] with C[A] 
and vice-versa. The presence of Ran{a) in the above condition is needed to ensure 
that a is idempotent: in fact, using substitutions a of the form X/ f(X) would 
not be correct in general. In practice, the constraints on the domain of a can be 
weakened by appropriately renaming some local variables; this is also shown in the 
upcoming example. In fact, if all the occurrences of a local variable in C[ ] are in 
choice branches different from the one the "hole" lies in, then we can safely rename 
apart each one of these occurrences. 

In our AUCTION example, we start working on the definition of auction_right, and 
we unfold the agent bidder_b([LastBid|As], Bs) and then we perform the subsequent 
tell eliminations (we eliminate the tells introduced by the unfolding). The result of 
these operations is the following program. 

auction_right(LastBid) ^ tell(LastBid / quit) || 
bidder_a(Bs, As) || 

ask(3HisBid,HisList' [LastBid|As] = [HisBid|HisList'] A HisBid = quit) ^ stop 
+ ask(3HisBid,HisList' [LastBid|As] = [HisBid|HisList'] A HisBid / quit) -^ 
tell([LastBid|As] = [HisBid|HisList']) || 
make_new_bid_b(HisBid,MyBid) || 

ask(MyBid = quit) ^ tell(Bs = [MyBid|Bs']) || broadcast("b quits") 
+ ask(MyBid / quit) ^ tell(Bs = [MyBid|Bs']) || 
tell(MyBid / quit) || 
bidder_b(HisList',Bs') 

3.3 Backward Instantiation 

The new operation of backward instantiation, is somehow similar to the one of 
unfolding. We immediately begin with its definition. 

Definition 3.3 (BACKWARD instantiation). Let D be a set of definitions and 

d: H^C[p(t)] 

b: p(s)^tell(c) II B 

be two definitions of D. The backward instantiation of p(t) in d consists in replacing 
d by d', which is either 

d': H^C[p(t) II tell(c) || tell(t = s)] 

or 

d' : H^C[p(t) II tell(t = s)] 

(it is assumed here that d and b arc renamed so that they have no variables in 
common) . 

More generally, the operation can also be applied when b is not of the form 
p(s) ^- tell(c) II B by considering c to be true. 

Intuitively, this operation can be regarded as a "half-unfolding" for the following 
reason: performing an unfolding is equivalent to applying a derivation step to the 
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atomic agent under consideration, here we do not quite do it, yet we carry out (part 
of) the two first phases that the derivation step requires. 

In the Section 6 we will show an application of this operation (Example 6.2). 

3.4 Ask and Tell Simplification 

A new important operation is the one which allows us to modify the ask guards 
and the tell's occurring in a program. Let us call produced constraint of C[ ] the 
conjunction of all the constraints appearing in ask and tell actions which can be 
evaluated before [ ] is reached (in the context C[ ]). Now, if a is the produced 
constraint of C[ ] and T) \= a —^ c, then clearly we can simplify an agent of the form 
C[ask(c) -^ A+ask(d) -^ B] to C[ask(true) -^ A+ask(d) -^ B]*. Moreover, under the 
previous hypothesis, we can clearly transform C[tell(c) || A] to C[A] and, conversely, 
C[A] to C[tell(c) II A] (as previously mentioned, this latter transformation consisting 
in the introduction of a redundant tell might be needed to prepare a program for 
the folding operation). 

In general, if a is the produced constraint of C[ ] and for some constraint c' we 
have that V \= 3_^ (a A c) ^^ (a A c') (where Z = Var(C, A)), then we can replace 
c with c' in C[ask(c) -^ A] and in C[tell(c)]. In particular, if we have that a A c 
is unsatisfiablc, then c can immediately be replaced with false (the unsatisfiable 
constraint). In order to formalize this intuitive idea, we start with the following 
definition. 

Definition 3.4. Given an agent A, the produced constraint of A is denoted by 
pea (A) and is defined by structural induction as follows: 

pca(tell(c)) = c 
pca(A II B) = pca(A) A pca(B) 

pea (A) = true for any agent A which is neither of the form tell(c) 

nor a parallel composition. 

By extending the definition we use for agents to contexts, given a context C[ ] 
the produced constraint of C[ ] is denoted by pc(C[ ]) and is inductively defined as 
follows: 

pc([ ]) = true 

pc(C'[]||B) = pc(C'[])Apca(B) 

Pc(E|Li ask(ci) -> Ai) = Cj A pc(C'[ ]) where j e [1, n] and Aj = C'[ ] 

The following definition allows us to determine when two constraints arc equiva- 
lent within a given context C[ ]. 

Definition 3.5. Let c, c' be constraints, C[ ] be a context, and Z be a set of 
variables. We say that c is equivalent to d within C[ ] and w.r.t. the variables in Z 
iff P h 3_z (Pc(C[ ]) A c) ^ 3_2 (pc(C[ ]) A c') 

This definition is employed in the following operation, which allows us to simplify 
the constraints in the ask and tell guards. 



*Note that in general the further simpHfication to C[A + ask(d) -^ B] is not correct, although we 
can transform C[ask(true) — > A] into C[A]. 
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Definition 3.6 (AsK and Tell Simplification). Let D be a set of declara- 
tions. 

(1) Let d : H ^ C[^"^j ask(ci) -^ A;] be a declaration of D. Suppose that c'j^, . . . , cj, 
are constraints such that for j e [1,?^^], cj is equivalent to Cj within C[ ] and 
w.r.t. the variables in Var{C, H, Aj). 

Then we can replace d with d' : H ^ C[^"^j^ ask(c|) -^ Aj] in D. We call this 
an ask simplification operation. 

(2) Let d : H ^ C[tell(c)] be a declaration of D. Suppose that the constraint c' is 
equivalent to c within C[ ] and w.r.t. the variables in Var{C, H). 

Then we can replace d with d' : H ^ C[tell(c')] in D. We call this a tell 
simplification operation. 

In our AUCTION example, we can consider the produced constraint of tell(LastBid 
^ quit), and modify the subsequent ask constructs as follows: 

auction_right(LastBid) ^ tell(LastBid / quit) || 
bidder_a(Bs, As) || 

ask(3HisBid,HisList' [LastBidlAs] = [HisBidlHisList'] A LastBid ^ quit A HisBid = quit) - 

stop 
+ 

ask(3HisBid,HisList' [LastBid|As] = [HisBid|HisList']) -^ 
tell([LastBid|As] = [HisBid|HisList']) || . . . 

Via the same operation, we can immediately simplify this to. 

auction_right(LastBid) ^ tell(LastBid / quit) || bidder_a(Bs, As) || 
ask(false) -^ stop 
+ ask(true) ^ tell([LastBid|As] = [HisBid|HisList']) || . . . 

3.5 Branch Elimination and Conservative Ask Elimination 

In the above program we have a guard ask(false) which of course will never be 
satisfied. The first important application of the guard simplification operation 
regards then the elimination of unreachable branches. 

Definition 3.7 (BRANCH Elimination). Let D be a set of declarations and let 

d: H^CE"^iask(ci)^Ai] 

be a declaration of D. Assume that n > 1 and that for some j G [1,?^], we have 
that Cj = false, then we can replace d with 

d': H ^ C[(ECi' ask(ci) ^ Ai) + (Ei=j+i ask(ci) ^ A;)]. 

The condition that n > 1 means that we cannot eliminate all the branches of a 
choice and it is needed to ensure the correctness of the system (otherwise one could 
transform a deadlock into a success: For example, the agent tell(c) || ask(false) -^ 
stop when evaluated in the empty store produces the constraint c and deadlocks, 
while the agent tell(c) produces c and succeeds). 

By applying this operation to the above piece of example, we can eliminate 
ask(false) — > stop, thus obtaining 

auction_right(LastBid) ^ tell(LastBid / quit) || 
bidder_a(Bs, As) || 
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ask(true) ^ tell([LastBid|As] = [HisBid|HisList']) || 

Now we do not see any reason for not eliminating the guard ask(true) altogether. 
This can indeed be done via the following operation. 

Definition 3.8 (CONSERVATIVE Ask Elimination). Consider the declaration 

d : H ^ C[ask(true) -^ B] 

We can transform d into the declaration 

d': H<-C[B]. 

This operation, although trivial, is subject of debate. In fact, Sahlin [1995] defines 
a similar operation, with the crucial distinction that the choice might still have 
more than one branch, in other words, in the system of [Sahlin 1995] one is allowed 
to simplify the agent C[ask(true) ^ A + ask(b) -^ B] to the agent C[A], even if b 
is satisfiable. Ultimately, one is allowed to replace the agent C[ask(true) ^ A + 
ask(true) -^ B] either with C[A] or with C[B], indifferently. Such an operation is 
clearly more widely applicable than the one we have presented but is bound to be 
incomplete, i.e. to lead to the loss of potentially successful branches. Nevertheless, 
Sahlin argues that an ask elimination such as the one defined above is potentially 
too restrictive for a number of useful optimization. We agree with the statement 
only partially, nevertheless, the system we propose could easily be equipped also 
with an ask elimination as the one proposed by Sahlin (which of course, if employed, 
would lead to weaker correctness results). 

In our example program, the application of these branch elimination and conser- 
vative ask elimination leads to the following: 

auction_right(LastBid) ^ tell(LastBid / quit) || 
bidder_a(Bs, As) |j 

tell([LastBid|As] = [HisBidjHisList']) || 
make_new_bid_b(HisBid,MyBid) || 

ask(MyBid = quit) -^ (tell(Bs = [quitjBs']) || broadcast("b quits")) 
+ ask(IVIyBid / quit) -^ (tell(Bs = [IVIyBidlBs']) || 
tell(l\/lyBid / quit) || 
bidder_b(HisList',Bs')) 

Via a tell elimination of tell([LastBid|As] = [HisBid|HisList']), this simplifies to: 

auction_right(LastBid) ^ tell(LastBid / quit) || 
bidder_a(Bs, As) || 
make_new_bid_b(LastBid,MyBid) || 

ask(l\/lyBid = quit) -^ (tell(Bs = [quit|Bs']) || broadcast("b quits")) 
+ ask(IVIyBid / quit) -^ (tell(Bs = [IVIyBidlBs']) jj 
tell(MyBid / quit) || 
bidder_b(As,Bs')) 

3.6 Distribution 

A crucial operation in our transformation system is the distribution, which consists 
of bringing an agent inside a choice as follows: from the agent A || ^j ask(ci) -^ Bj, 
we want to obtain the agent ^| ask(ci) -^ (A || Bj). This operation requires deficate 
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applicability conditions, as it can easily introduce deadlocks: consider for instance 
the following contrived program D. 

p(Y) ^ q(X) ||ask(X>=0) ^ tell(Y=0) 
q(0) ^- stop 

In this program, the process D.p(Y) originates the derivation (D.p(Y), true) -^* 
(D.Stop, Y = 0). Now, if we blindly apply the distribution operation to the first 
definition we would change D into: 

p(Y) ^ ask(X >= 0) -^ (q(X) || tell(Y=0)) 

and now we have that (D.p(Y), true) generates only deadlocking derivations. This 
situation is avoided by demanding that the agent being distributed will not be able 
to produce any output, unless it is completely determined which branches of the 
choices might be entered. 

To define the applicability conditions for the distribution operation we then need 
the notion of productive configuration. Here and in the following we say that a 
derivation (D.A, c) -^* (D.A',c') is maximal if (D.A',c') -/^. 

Definition 3.9 (Productive). Given a process D.A and a satisfiable constraint 
c, we say that (D.A, c) is productive iff cither it has no (finite) maximal derivations 
or there exists a derivation (D.A, c) -^* (D.A', c') such that V \= ^(3_2C -^ El_2c'), 
where Z = Var(A). 

So, a configuration is productive if its evaluation can (strictly) augment the 
information contained in the global store. For technical reasons which will be clear 
after the next definition, we call productive also those configurations which have 
no finite maximal derivations. 

We can now provide the definition of the distribution operation. 

Definition 3.10 (Distribution). Let D be a set of declarations and let 

d: H^C[A|| E"=iask(ci)^Bi] 

be a declaration in D, where e = pc(C[ ]). The distribution of A in d yields as result 
the definition 

d': H^CEi.,ask(ci)^(A||Bi)] 

provided that for every constraint c such that Var{c) f) Var(d) C Var (H,C), if 
(D.A, c A e) is productive then both the following conditions hold: 

(a) There exists at least one i E [1, f^] such that I? |= (c A e) ^ c;, 

(b) for each i € [1, n], either P |= (c A e) ^ Cj or I? ^ (c A e) ^ ^Cj. 

Intuitively, the constraint c models the possible ways of "calling" A || X^ILi ask(ci) -^ 
B;. Condition (b) basically requires that if the store c is such that A might produce 
some output (that is, the configuration (D.A,c A e) is productive), then for each 
branch of the choice it is already determined whether we can follow it or not. This 
guarantees that the constraints possibly added to the store by the evaluation of 
A cannot influence the choice. Moreover, condition (a) guarantees that we do not 
apply the operation to a case such as tell(X = a) || ask(false) -^ stop, which would 
clearly be wrong. If (D.A, c A e) is not productive then we do not impose any 
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condition, since the evaluation of (D.A,c A e) cannot affect the choice. As previ- 
ously mentioned, we call productive also those configurations which have no finite 
maximal derivations, that is, those configurations which originate non-terminating 
computations only (possibly with no output). In fact, also in this case we need con- 
ditions (a) and (b), since otherwise bringing A inside the choice might transform a 
looping program into a deadlocking one. 

The above applicability conditions are a strict improvement on the ones we pre- 
sented in [Etalle et al. 1998], in which we used the concept of required variable. We 
now report this definition, both for simplifying the explanation for some examples 
and for comparing the above definition of distribution with the one in [Etalle et al. 
1998]. 

Definition 3.11 (REQUIRED Variable). We say that the process D.A requires 
the variable X iff, for each satisfiable constraint c such that V \= 3xc ^^ c, (D.A, c) 
is not productive. 

In other words, the agent A requires the variable X if, in the moment that the 
global store does not contain any information on X, A cannot produce any informa- 
tion which affects the variables occurring in A and has at least one finite maximal 
derivation. Even though the above notion is not decidable in general, it is easy 
to find wide-applicable (decidable) sufficient conditions guaranteeing that a cer- 
tain variable is required. For example it is immediate to see that, in our program, 
bidder_a(Bs, As) requires Bs: in fact the derivation starting in bidder_a(Bs, As) sus- 
pends (without having provided any output) after one step and resumes only when 
more information for the variable Bs has been produced. 

The following remark clarifies how the concept of required variable might be used 
for ensuring the applicability of the distributive operation. Its proof is straightfor- 
ward. 

Remark 3.12. Referring to Definition 3.10. If A requires a variables which does 
not occur in H, C[ ], then the distribution operation is applicable. 

Proof. In this case, there exists no constraint c such that Var{c) n Var{d) C 
Var{\-\, C) and (D.A, c A e) is productive. D 

In our example, since the agent bidder_a(Bs, As) requires the variable Bs, which 
occurs only inside the ask guards, we can safely apply the distributive operation. 
The result is the following program. 

auction_right(LastBid) ^ tell(LastBid / quit) || make_new_bid_b(LastBid,MyBid) || 

ask(MyBid = quit) ^ tell(Bs = [quit|Bs']) || braadcast("b quits") || bidder_a(Bs, As) 
+ asl<(IVIyBid ^ quit) -^ (tell(Bs = [IVIyBid|Bs']) || 
tell(MyBid 7^ quit) || 
bidder_a(Bs, As) || 
bidder_b(As, Bs')) 

In this program we can now eliminate the construct tell(Bs — [MyBid|Bs']): In 
fact, even though the variable Bs here occurs also elsewhere in the definition, we 
can assume it to be renamed since it occurs only on choice-branches different than 
the one on which the considered agent lies. Thus we obtain: 

auction_right(LastBid) ^ tell(LastBid / quit) || mal<e_new_bid_b(LastBid,IVIyBid) || 
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ask(MyBid = quit) -+tell(Bs = [quit|Bs']) || broadcast("b quits") || bidder_a(Bs, As) 
+ asl<(l\/lyBid 7^ quit) -» (tell(l\/lyBid / quit) || 
bidder_a([IVIyBid|Bs'], As) || 
bidder_b(As, Bs')) 

Before we introduce the fold operation, let us clean up the program a bit further: 
we can now first apply a tell elimination to tell(Bs = [quitjBs']), and then properly 
transform (by unfolding, and simplifying the result) the agent bidder_a([quit|Bs'], 
As) in the first ask branch. We easily obtain: 

auction_right(LastBid) ^ tell(LastBid / quit) || mal<e_new_bid_b(LastBid,IVIyBid) || 
asl<(l\/lyBid — quit) -^ broadcast("b quits") || stop 
+ asl<(l\/lyBid / quit) -^ (tell(l\/lyBid / quit) || 
bidder_a([IVIyBid|Bs'], As) || 
bidder_b(As, Bs')) 

The just introduced stop agent can safely be removed (see Proposition 4.2) and we 
are left with: 

auction_right(LastBid) ^ tell(LastBid / quit) || make_new_bid_b(LastBid,IVIyBid) || 
asl<(l\/lyBid = quit) -^ broadcast("b quits") 
+ asl<(l\/lyBid / quit) -^ (tell(l\/lyBid / quit) || 
bidder_a([IVIyBid|Bs'], As) |1 
bidder_b(As, Bs')) 

3.7 Folding 

The folding operation has a special role in the suite of the transformation operations. 
This is due to the fact that it allows us to introduce recursion in a definition, 
often making it independent from the definitions it depended on. As previously 
mentioned, the applicability conditions that we use here for the folding operation 
do not depend on the transformation history, nevertheless, we require that the 
declarations used to fold an agent appear in the initial program. Thus, before 
defining the fold operation, we need the following. 

Definition 3.13. A transformation sequence is a sequence of programs Dq, . . . , Dp, 
in which Dq is an initial program and each Dj+i is obtained from Dj via one of the 
following transformation operations: unfolding, backward instantiation, tell elimi- 
nation, tell introduction, ask and tell simplification, branch elimination, conserva- 
tive ask elimination, distribution and folding. 

Recall that we assume that the new declarations introduced by using the def- 
inition introduction operation are added once for all to the original program Dq 
before starting the transformation itself. We also need the notion of guarding con- 
text. Intuitively, a context C[ ] is guarding if the "hole" appears in the scope of an 
ask guard. 

Definition 3.14 (GUARDING Context). We call C[ ] is a guarding context iff 

C[ ] = C[J2"=i ask(ci) -^ Ai] and Aj = C"[ ] for some j e [1, n]. 

So, for example, ask(c) ^ (A || [ ]) is a guarding context, while (ask(c) ^ A) || [ ] is 
not. We can finally give the definition of folding: 
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Definition 3.15 (Folding). Let Dq, . . . , Dj, i > 0, be a transformation sequence. 
Consider two definitions. 

d : H ^ C[A] e Di 
f : B ^ A e Do 

If C[ ] is a guarding context, B contains only distinct variables as arguments and 
Var{A) n Var(C,H) C Var(B) then folding A in d consists of replacing d by 

d': H^C[B] e Di+i 

(it is assumed here that d and f are suitably renamed so that the variables they 
have in common arc only the ones occurring in A). 

In many situations this operation is actually applicable also in absence of a guarding 
context as discussed below. 

Remark 3.16. We can apply the fold operation also in case C[ ] is not guarding 
context (referring to the notation of the previous definition), provided that the 
definition H ^ C[A] was not modified nor used during the transformation. In fact, 
in this case we can simply assume that the original definition of H ^ C[A] contained 
a dummy ask guard as in 

H ^ ask(true) -^ C[A] 

that the folding operation is applied to this definition, and that the guard ask(true) 
will eventually be removed by an ask elimination operation. 

Actually, in many cases this reasoning can be applied also to definitions that are 
used during the transformation. This kind of folding is called propagation folding 
(as opposed to the recursive folding): it is not employed to introduce recursion, 
but to propagate to other contexts the efficiency that was hopefully gained by the 
transformation. Usually, transformation systems provide a special condition for 
the propagation folding operation. For instance, in [Tamaki and Sato 1984], a 
distinction is made between new and old predicates. Here we decided not to do so. 
This allows us to have a definition of folding operation which is particularly simple. 

We refer to the end of Example 6.2 for an example of application of folding 
without guarding context. 

The reach of the folding operation is best shown via our example. We can now 
fold auctionJeft(MyBid) in the above definition, and obtain: 

auction_right(LastBid) ^ tell(LastBid / quit) || make_new_bid_b(LastBid,MyBid) || 
ask(MyBid = quit) -^ broadcast("b quits") 
+ ask(l\/lyBid / quit) ^ auctionJeft(l\/lyBid) 

Now, by performing an identical optimization on auctionjeft, we can also obtain: 

auctionJeft(LastBid) ^ tell(LastBid / quit) || make_new_bid_a(LastBid,l\/lyBid) || 
ask(l\/lyBid = quit) — > broadcast("a quits") 
+ ask(l\/lyBid ^ quit) ^ auction_right(l\/lyBid) 

This part of the transformation shows in a striking way one of the main benefits 
of the folding operation: the saving of synchronization points. Notice that in the 
initial program the two bidders had to "wait" for each other. In principle they 
were working in parallel, but in practice they were always acting sequentially, since 
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one had always to wait for the bid of the competitor. The transformation aUowed 
us to discover this sequentiahty and to obtain an equivalent program in which the 
sequentiality is exploited to eliminate all suspension points, which are known to 
be one of the major overhead sources. Furthermore, the transformation allows a 
drastic saving of computational space. In fact, in the initial definition the parallel 
composition of the two bidders leads to the construction of two lists containing all 
the bids done so far. After the transformation we have a definition which does not 
build the list any longer, and which, by exploiting a straightforward optimization 
can employ only constant space. 

Concerning the syntax of the operation, in our setting the folding operation re- 
duces to a mere replacement. To people familiar with this operation, this might 
seem restrictive: one might wish to apply the folding also in the case that the def- 
inition to be folded contains an instance of A, i.e. when d has the form H ^— C[Acr] 
(in this case the folding operation is applicable only if a satisfies specific conditions 
described in [Tamaki and Sato 1984] for logic programs and in [Etalle and Gab- 
brielli 1996] for CLP). This extended operation would actually correspond to the 
(most) usual definition of folding as in [Tamaki and Sato 1984; Etalle and Gabbrielli 
1996; Bensaou and Guessarian 1998]. In our system such an extended operation 
is formally not needed, as it can be obtained by combining together the folding 
operation with the tell introduction. 

In fact, assume that we would like to fold the definition 

d : H ^ C[A(t] e Di 
by using the definition 

f : B ^ A e Do 
In the first place, via a tell introduction, wc can modify definition d as follows 

d* : H^C[A II tell(X = Xcr)], 

Clearly, we assume here that X and a fulfill the applicability conditions given in 
Definition 3.2. Then, via a normal folding operation we obtain 

d** : H <- C[B II tell(X = Xo-)] 

(provided that the applicability conditions for the folding are satisfied) which is 
equivalent to the definition 

d' : H^C[Bcr]. 

obtained in the case of the folding operation as defined in [Tamaki and Sato 1984; 
Etalle and Gabbrielli 1996; Bensaou and Guessarian 1998]. Actually, in case the 
constraint domain admit most general unifiers, the definition d' can be obtained 
from d** by using a tell elimination operation (also in this case we assume that the 
applicability conditions for the tell elimination are satisfied). 

For the sake of simplicity, wc do not give the explicit definition of this (derived) 
extended folding operation and of its applicability conditions. Therefore, the oc- 
currences of this operation in the last example of Section 6 have to be considered 
as a shorthands for the sequence of operations described above. 
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4. CORRECTNESS 



Any transformation system must be useful (i.e. allow useful transformations and 
optimization) and most importantly - correct, i.e., it must guarantee that the 
resulting program is in some sense equivalent to the one we have started with. 

Having at hand the transition system in Table I, we provide now the intended 
semantics to be preserved by the transformation system by defining a suitable notion 
of "observables" . We start with the following definition which takes into account 
terminating and failed computations only. In the next Section we will consider also 
non-terminating computations. Here and in the sequel we say that a constraint c 
is satisfiable iff P |= 3 c. 

Definition 4.1 (Observables). Let D.A be a CCP process. We define 

0(0. A) = {(c, 3_yar(A.c)d,ss) | c and d are satisfiable, and there exists 

a derivation (D.A,c) -^* (D.Stop,d)} 

U 

{(c, 3_yQr(A.c)d,dd) I c and d are satisfiable, and there exists 

a derivation (D.A, c) -^* (D.B, d) 7^, B / Stop} 

U 

{(c, false, fF) | c is satisfiable, and there exists 

a derivation (D.A,c) ->* (D.B, false)}. 

Thus what we observe are the results of terminating computations (if consistent) , 
abstracting from the values of the local variables in the results, and distinguishing 
the successful computations from the deadlocked ones (by using the termination 
modes ss and dd, respectively). We also observe failed computations, i.e. those 
computations which produce an inconsistent store. 

Having defined a formal semantics for our paradigm, we can now define more 
precisely the notion of correctness for the transformation system; we say that a 
transformation sequence Dq, . . . , Dp is partially correct iff, for each agent A, we 
have that 

0(Do.A)DO(D„.A) 

holds, that is, nothing is added to the semantics of the initial program. Dually, we 
say that Dq, . . . , Dp is complete iff, for each agent A, we have that 

0(Do.A)CO(D„.A) 

holds, that is, no semantic information is lost during the transformation. Finally a 
transformation sequence is called totally correct iff it is both partially correct and 
complete. 

In the following we prove that the our transformation system is totally correct. 
As previously mentioned, for the sake of readability some proofs are only sketched 
and their full versions can be found in the Appendix. 

The proof of this result is originally inspired by the one of Tamaki and Sato for 
pure logic programs [Tamaki and Sato 1984] and has retained some of its notation, 
in particular we also use the notions of weight and of split derivation. Of course the 
similarities do not go any further, as demonstrated by the fact that in our transfor- 
mation system the applicability conditions of folding operation do not depend on 
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the transformation history (while aUowing the introduction of recursion), and that 
the folding definitions are allowed to be recursive (the distinction between Pnew 
and Fold of [Tamaki and Sato 1984] is now superfluous). 

We start with the following proposition allows us to eliminate stop agents in 
programs. 

Proposition 4.2. For any agent A and set of declarations D, 0(0. A || stop) = 
O(D.A). 

Proof. The proof follows immediately from the definition of observablcs by 
noting that, according to rules R1-R4, the agent stop has no transition and (D.A || 
stop,c) -^* (D.B II stop,d) iff (D.A,c) -^* (D.B,d), where obviously B || stop is 
equal to Stop iff B = Stop (recall that Stop is the generic agent containing only || 
and stop). D 

The following notion of mode will be useful to shorten the notation. 

Definition 4.3. Let Dq, . . . , D,, be a transformation sequence, A be an agent and 
d be a constraint. We define the mode m(A, d) of the agent A w.r.t. the constraint 
d as follows 

{ss if d is satisfiablc and A = Stop 
dd if d is satisfiable, (Dq.A, d) -/^ and A 7^ Stop 
ff if d is not satisfiable 

Note that the notion of mode does not depend on the set of declarations D; we 
are considering, that is, in the above definition we could equivalently use Dj rather 
than Dq. This is the content of the following. 

Proposition 4.4. Let Do, . . . , Dn be a transformation sequence, A be an agent 
and d be a constraint. Then (Do.A,d) 7^ iff {D\.A,d) -/^, for any i G [1, HI- 
PROOF. Immediate by observing that a procedure call can be evaluated in Dq iff 
it can be evaluated in Dj, for any i G [l,n]. D 

In what follows, we are going to refer to a fixed transformation sequence Dq, . . . , D,,. 
We start with the following result, concerning partial correctness. 

Proposition 4.5 (Partial Correctness). //, for each agent A, ©(Dq.A) = 
O(Di.A) holds then, for each agent A, 0{D;.A) D 0{D;+i.A). 

Proof. (Sketch). We show that given an agent A and a satisfiablc constraint 
C|, if there exists a derivation ^ = (Di+i.A, ci) -^* (Di+i.B, cp), with m(B,CF) G 
{ss, dd,ff}, then there exists also a derivation ^' — (Di.A,C|) ^* (Di.B',Cp) with 
3-yar(A,ci)Cp = ^- var(A.iz,)'^F and m(B',Cp) = m(B, Cp). By Definition 4.1, this will 
imply the thesis. The proof is by induction on the length / of the derivation. 

(/ = 0). In this case ^ = (Di+i.A,Ci). By the definition (Di.A, C|) is also a 
derivation of length and then the thesis holds. 

{I > 0). If the first step of derivation ^ does not use rule R4, then the proof 
follows from the inductive hypothesis. 

Now, assume that the first step of derivation ^ uses rule R4 and let d' G Dj+i 
be the declaration used in the first step of ^. If d' was not modified in the trans- 
formation step from Dj to Dj+i (that is, d' G Dj), then the result follows from the 
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inductive hypothesis. We assume then that d' ^ Dj, d' is then the resuh of the 
transformation operation apphed to obtain Dj+i. The proof proceeds by distin- 
guishing various cases according to the operation itself. Here we consider only the 
operations of unfolding, tell elimination, tell introduction and folding. The other 
cases are deferred to the Appendix. 

Unfolding: If d' is the result of an unfolding operation then proof is immediate. 

Tell elimination and introduction: If d' is the result of a tell elimination or of 
a tell introduction the thesis follows from a straightforward analysis of the possible 
derivations which use d or d'. First, observe that for any derivation which uses a 
declaration H ^- C[tell(s = t) || B], we can construct another derivation such that 
the agent tell(s = t) is evaluated before B. Moreover for any constraint c such 
that 3(jon,(CT)C = Eljoni(CT)CO', (where ct is a relevant most general unifier of s and t), 
there exists a derivation step (Di.Bicr, ccr) -^ (Di.B2cr, c') if and only if there exists 
a derivation step (Di.Bi,c A (s = t)) ^ (Di.B2,c"), where, for some constraint e, 
c' — ea, c" = e A (s = t) and therefore c' = 3dom(<T)c". Finally, since by definition a 
is idempotent and the variables in the domain of a do not occur neither in C[ ] nor 
in H, for any constraint e we have that 3-var{A,c,)^<^ = ^-Var{A.c,){^ A (s = t)). 

Folding: If d' is the result of a folding then let 

- d : q(r) <— C[H] be the folded declaration (g D;), 

- f : p(X) ^ H be the folding declaration (g Dq), 

- d' : q(r) ^- C[p(X)] be the result of the folding operation (g Di+i) 

where, by hypothesis, Var{d)r\Var{X) C Var(H) and Var{H)n{Var{f)LI Var{Q) C 
Var{X). In this case ^ = (Di+i.C|[q(v)],C|) -^ (Di+i.C|[C[p(X)] || tell(v = ?)], c,) -^* 
(Di+i.B,CF) and we can assume, without loss of generality, that Var{C\[q{v)],c\) D 
Var{H) = 0. 
By the inductive hypothesis, there exists a derivation 

X - (Di.C|[C[p(X)] II tell(v = r)],c,) ^* (Di.B",c'F'), 

with 3_,^^^((-^j(-jp(x)] II tell(v=r)],c,)^F = ^ -Var{Q[C[p(X)] \\ tell(v=r)],c,)'=F ^"^ 

m(B",c'F') = m(B,CF). (1) 

Since Var{Ct[q{\})],c\) C Var(C|[C[p(X)] || tell(v = r)],C|), we have that 

3-yar(C|[q(v)]xi)CF = 3_ i/ar(C| [q(v)]xi)CF- (2) 

Since by hypothesis for any agent A', ©(Dq.A') ~ 0(0;. A'), there exists a derivation 
Co = (Do.C|[C[p(X)] II tell(v = ?)], c) ^* (Do. Bo, cq) 

such that 3_^^^^^^j^jp^^jj II (,||(.^f)]^^,)Co = 3_^^^(c,[C[p(X)] || tell(v=f)],c/F ^"^ "^(^0'^°) 

= m(B",c'p'). 

By (1), (2) and since yar(C|[q(v)], c,) C Var{Q[C[p{X)] || tell(v = r)],C|), we have 
that 

=l-v'ar(Ci[q(v)]xi)Co = ^-Var(c,[q{y)],c,)CF and m(Bo,co) = m(B, Cf). (3) 

Let f : p(X') ^ H' be an appropriate renaming of f, which renames only the 
variables in X, such that Var(d) n Var{f') = (note that this is possible, since 
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Var{H)r\{Var{r)UVar{C)) C Var{X)). By hypothesis, Var(C|[q(v)],C|) n Var(H) == 
0. Then, without loss of generahty we can assume that Var{£^Q) n Var{f') ^ if and 
only if the procedure call p(X) is evaluated, in which case declaration f is used. 
Thus there exists a derivation 

(Do.Ci[C[H' II tell(X = X')] |1 tell(v = r)],ci) ^* (Do.B[„co), 

where m(BQ,co) = m(Bo,co). By (3) we have 

m(B(„co) = m(B,CF). (4) 

We now show that we can substitute H for H' || tell(X = X') in the previous deriva- 
tion. Since f : p(X') ^ H' is a renaming of f : p(X) ^- H, the equality X = X' 
is conjunction of equations involving only distinct variables. Then, by replac- 
ing the variables X with X' and vice versa in the previous derivation we obtain 
the derivation xo = (Do.C|[C[H || tell(X' = X)] || tell(v = r)],C|) ^* (Dq.BJ,', c[,) 

where ^_Var{C,[C[H || tell(X'=X)] II tell(v=f)],ci)''0 = ^-Var{C,[C[H \\ tell(X'=X)] || tell(v=r)] ,C|)''0 

and m(Bo,Co) = m(Bo,co). 
^From (4) it follows that 

m(B(,',c^) = m(B,CF). (5) 

Then, from (3) and since yar(Ci[q(v)], q) C Var(Ci[C[H [j tell(X' = X)] |1 tell(v = 
r)],C|) we obtain 

3-yar(Ci[q(v)]xi)Co = 3_ yar(Ci [q(v)]xi)CF- (6) 

Moreover, we can drop the constraint tell(X' = X), since the declarations used 
in the derivation arc renamed apart and, by construction, Var(Ci[C[H] || tell(r = 
v)],C|) n Var{X') = 0. Therefore there exists a derivation (Do.C|[C[H] || tell(v = 
r)],C|} -^* (Dq.BcCo) which performs exactly the same steps oi xo, (possibly) ex- 
cept for the evaluation of tell(X' = X), and such that 3 ,, ,, ,^,^,, n i|/~_~-,i -.co = 

^-Var{Q[C[H] || teii(v=f)],c,)^o ^nd m(Bo,co) = m(B(,',c(,). From (5), (6) and since 
Var(C|[q(v)],C|) C Var{Ci[C[H] \\ tell(v = ?)], C|), it follows that 

m(Bo,Co) = m(B,CF) and 3-Var{Q[q{<i)],c,)^0 = 3-l/ar(C|[q(v)],C|)CF- (7) 

'(Dj.A') holds by hypothesis for any agen 

(Di.Ci[C[H] II tell(v = r)],ci) ^* (Di.B',c'F) 
where 

-Var{C,[C[H] || tell(v=r)]xi)'-F = ^ - Var{C,[C[H] \\ tell(v=r)] ,C|)^0 

and m(B',Cp) ~ m(Bo,co). 

^From (7) and since yar(C|[q(v)], C|) C Var(C|[C[H] || tell(v = r)],C|), we obtain 

rn(B',CF) = m(B,CF) and 3_yar(Ci[q(v)]xi)CF = 3_ V'ar(Ci[q(v)],C|)CF- (8) 

Finally, since d : q(r) ^ C[H] e Dj, there exists a derivation 

e' = (Di.C|[q(v)],C|) ^ (Di.C|[C[H] II tell(v = r)],C|) ^* (Di.B',c'F) 
and then the thesis follows from (8). D 
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In order to prove total correctness we need the following. 

Definition 4.6 (Weight). Let ^ be a derivation. We denote by wh{£,) the num- 
ber of derivation steps in ^ which use rule R2. Given an agent A and a pair of 
satisfiable constraints c, d, we then define the success weight Ws5(A, c, d) of the agent 
A w.r.t. the constraints c and d as follows 

Wss(A, c, d) = niin{n \ n ~ wh{^) and ^ is a derivation 
(Do.A,c)^* (Do.Stop,d')/> 
with El_v'ar(Ax)d' = 3_yar(A,c)d } 

Analogously, we define the deadlock weight Wdd(A,c,d) of the agent A w.r.t. the 
constraints c and d 

Wdd(A,c,d) — min{n \ n = wh{S,) and ^ is a derivation 
(Do.A,c)^*(Do.B,d')/> 

with B 7^ Stop and 3-Var(A,c)d' = 3-yar(Ax)d } 

and the failure weight Wff(A,c,d') of the agent A w.r.t. the constraints c and d' 

Wff(A,c,d') — min{n \ n = wh{S) and ^ is a derivation (Dq.A, c) -^* (Do.B,d'} 

with d' — false } 

Notice that Wss(A, c, d') is undefined in case there is no successful derivation cor- 
responding to the given constraints (and analogously for Wdd and Wff). Also, both 
Wss(A, c, false) and Wdd(A, c, false) are undefined, as the success and deadlock weight 
consider only non failed derivations (i.e. derivations which do not produce the 
constraint false). 

As previously mentioned, this notion of weight is rather different from the one 
in [Tamaki and Sato 1984], since the latter is based on the number of nodes in a 
proof tree for an atom, by taking into account the fact that the predicate symbol 
appearing in that atom is "new" or "old" . 

In the total correctness proof we also make use of the concept of split derivations. 
Intuitively, these are derivations which can be split into two parts: the first one, up 
to the first ask evaluation, is performed in the program D; while the second one is 
carried out in Dq. 

Definition 4.7 (Split derivation). Let Dq, ..., D; be a transformation sequence. 
We call a derivation in Dj U Dq a successful split derivation if it has the form 

(Di.Ai,ci) ^* (Di.A^,c^) ^ (Do.A^+i,c^+i) ^* (Do.Stop,c,) -/^ 

where c,, is a satisfiable constraint, m G [1,?t.]''' and the following conditions hold: 

(a) the first to — 1 derivation steps do not use rule R2; 

(b) the ?Ti-th derivation step (Di.Am,Cm) -^ (Do.Am+i,Cm+i) uses rule R2; 

(c) Wss(Ai,Ci,Cr,) > Wss(Am + l,Cm + l,Cp). 

A deadlocked split derivation is defined analogously, by replacing Wjs for Wdd and 
Stop for a generic agent B ^ Stop in the last configuration of the derivation above. 



^If m = n we can write indifferently (Dj.Stop, Cn) or (Do.Stop, Cn) to denote the last configuration 
of the derivation. 
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Finally a failed split derivation is defined by replacing Wss for Wfp and Stop for a 
generic agent (which is not necessarily terminated) and by assuming that c„ = false 
in the last configuration of the derivation above. 

In the following we call split derivations both successful, deadlocked and failed 
split derivations. The previous definition is inspired by the definition of descent 
clause of [Kawamura and Kanamori 1988]; however, here we use a different notion 
of weight and rather different conditions on them. We need one final concept. 

Definition 4.8. We call the program Dj weight complete iff, for any agent A, for 
any satisfiable constraint c and for any constraint d, the following hold: if there 
exists a derivation 

(Do.A,c)^*(Do.B,d) 
such that m(B, d) e {ss, dd, ff} then there exists a split derivation in D; U Dq 

(Di.A,c)^*(Do.B',d') 

where 3-var{A,c)d' = 3-v'ar(Ax)d and m(B',d') = m(B,d). 

So D; is weight complete if we can reconstruct the semantics of Dq by using only 
(successful, deadlocked and failed) split derivations in D; U Dq. We now show that if 
Dj is weight complete then no observables are lost during the transformation (i.e., 
the transformation is complete). This is the content of the following. 

Proposition 4.9. // Dj is weight complete then, for any agent A, 0(Do.A) C 
O(Di.A). 

Proof. We consider only the case of successful derivations, since the case of 
deadlocked (failed) derivations can be proved analogously by considering the no- 
tions of deadlock (failure) weight and deadlocked (failed) split derivation. Assume 
that there exists a (finite, successful) derivation (Do.A,c) -^* (Do.Stop, d). We 
show, by induction on the success weight of (A,c,d), that there exists a derivation 
(Di.A,c) ^* (Di.Stop,d'), where 3-variA^c)<i' = 3~Var{A.c)d- 

Base Case. If Wss(A, c, d) = then, since Dj is weight complete, from Definition 4.7 
and Definition 4.8 it follows that there exists a (successful) split derivation in DiUDq 
of the form (Di.A,c) -^* (Di.Stop,d') where 3_yaj.(A,c)d' = 3_yar(A.c)d, rule R2 is 
not used and therefore each derivation step is done in Dj. 

Inductive Case. Assume that Wss(A,c,d) = n. Since Dj is weight complete there 
exists a (successful) split derivation in Dj U Dq 

C: (Di.A,c)^* (Do.Stop, d'), 

where 3-var{A.c)^' = 3_\/ar(A,c)d. If rule R2 is not used in ^ then the proof is the 
same as in the previous case. Otherwise ^ has the form 

(Di.A,c) ^* (Di.A^,c^) ^ (Do.A^+i,c^+i) ^* (Do.Stop, d') 

where Wss(A,c,d') > Wss(Am+i,Cm+i, d'). Let £_' be the derivation 

C : (Di.A,c) ^* (Di.A^,c^) ^ (Di.A^+i, c^+i). 
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By the inductive hypothesis, there exists a derivation 

e": (Di.A^+i,c^+i}^*(Di.Stop,d") 

where ^-var{A^+i,c^+i)^" = ^-Var{A^+i,c^+i)^' ■ Without loss of generahty, we can 
assume that Var{^') n Var{^") = Var {Am+i,Cm+i) and hence there exists a deriva- 
tion 

(Di.A,c) -^* (Di.Stop,d"). 

FinaUy, by our hypothesis on the variables and by construction, 

3-yar(A,c)d — 

3-yar(A,c)(Cm + l A ^- Var{A^+i,c^-^i)'i") — 

3-Var(A,c)(Cm + l A ^- Var{A^+i,c„+i)'i') ~ 

3-yar(A,c)d = 
3-Var(A,c)d 

which concludes the proof. D 

Before proving the total correctness result we need some technical lemmata. Here 
and in the following we use the notation Wt (with t £ {ss, dd, ff}) as a shorthand for 
indicating the success weight Wss, the deadlock weight Wdd and the failure weight 

Wff. 

Lemma 4.10. Let q(r) ^ H e Dq, t e {ss, dd,ff} and let C[ ] be a context. For 
any satisfiable constraint c and for any constraint c' , such that Var (C[q{i)],c) n 
Var(J) — and Wt(C[q(t)], c, c') is defined, there exists a constraint d' such that 
Wt(C[q(r) II tell(t = r)],c,d') < Wt(C[q(t)], c, c') and3_var(ciq(i)].c)d' = 3_ var(C[q(t)],c)c'- 

Proof. Immediate. D 

Lemma 4.11. Let q(r) ^ H G Dq and t G {ss,dd,fF}. For any context C\[ ], any 
satisfiable constraint c and for any constraint d , the following holds. 

(1) If Var(H) n Var{C\,c) C Var(r) and Wt(C|[q(r)], c, c') is defined, then there 
exists a constraint d', such that Var(d') C yar(C|[H], c), Wt(C|[H], c, d') < 

Wt(C|[q(r)], C,C') and 3-Var{Q[q(r)],c)^' = =l_v'ar(Ci[q(f)],c)C'. 

(2) If Var{H) n Var(C|,c) C Var{r), Var(c') n Var{~r) C Var(C|[H],c) and 
Wt(C|[H], c, c') is defined, then there exists a constraint A' , such that 

Wt(C|[q(r)],C,d') < Wt(C|[H], C,c') and 3_ v'ar(C,[q(r)]x)d' = 3_yar(C,[q(r)],c)C'. 

Proof. Immediate. D 

The following Lemma is crucial in the proof of completeness. 

Lemma 4.12. Let < i < n, t e {ss,dd,fF}, cl : q(r) ^ H G Dj, and let 
cl' : q(r) ^- H' be the corresponding declaration in Dj+i (in the case i < n). For 
any context C\ [ ] and any satisfiable constraint c and for any constraint c' the 
following holds: 

(1) If Var(H) n Var{C\,c) C Var{r) and Wt(C|[q(r)], c, c') is defined, then there 
exists a constraint d' , such that Var(d') C yar(C|[H], c), Wt(C|[H], c, d') < 

Wt(C|[q(r)],c, c') and 3_ v'ar(Ci[q(r)]x)d' = ^-Var(c,[q(r)],c)c' ; 
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(2) If Var(H,H') n Var{Q,c) C Var(r), Var{c') n Var(r) C Var(C|[H],c) anrf 
Wt(C|[H], c, c') is defined, then there exists a constraint d' , such that Var(d') C 
Var{Q[H'],c), Wt(C|[H'],c,d') < Wt(C|[H], c, c') and 

3-yar(C|[q(f)],c)d' = 3_ ^^^(Ci [q(r)] ,c)C' • 

Proof. (Sketch). Observe that, for i — 0, the proof of 1 foUows from the first 
part of Lemma 4.11. We prove here that, for each i > 0, 

a). If 1 holds for i then 2 holds for i; 

b). If 1 and 2 hold for i then 1 holds for i + 1. 

The proof of the Lemma then follows from straightforward inductive argument. 

a). If c\ was not affected by the transformation step from Dj to Dj+i then the 
result is obvious by choosing d' — ^^var{Q[H].cW ■ Assume then that cl is affected 
when transforming Dj to Dj+i. We have various cases according to the operation 
used to perform the transformation. Here we show only the proofs for the unfolding 
and the folding operations, the other cases being deferred to the Appendix. 

Unfolding: Assume cl' G Dj+i was obtained from Dj by unfolding. In this case, 
the situation is the following: 

- cl : q(r) ^ C[p(t)] £ D, 

- u : p(s) ^ B e Di 

-cl': q(r)^C[B || tell(t = 1)] e Di+i 
where cl and u are assumed to be renamed so that they do not share variables. 
Let n = Wt(C|[C[p(t)]],c,c'). By the definition of transformation sequence, there 
exists a declaration p(s) ^ Bq G Dq. Moreover, by the hypothesis on the variables, 
Var(C[p(t)],C[B || tell(t = s)]) n Var(C|,c) C Var{r) and then Var{Q[C[p{t)]],c) D 
Var{s) = 0. Therefore, by Lemma 4.10, there exists a constraint di, such that 

Wt(C|[C[p(i) II tell(t = i)]],c,di) < Wt(C|[C[p(t)]],c,c') = n (9) 

and 

=l-V'ar(C|[C[p(t)]]x)dl = =>_ ^0^(01 [C[p(t)]],c)C'- (10) 

By the hypothesis on the variables and since u is renamed apart from cl, Var{B) D 
yar(C|,C,t,c) = and therefore Var(B) n Var(C|[C[ ] || tell(t = s)],c) C Var(s). 
Then, by Point 1, there exists a constraint d', such that 

Var(d') C Var(C|[C[B II tell(t = s)]],c) 
Wt(C|[C[B||tell(t = i)]],c,d') < Wt(C|[C[p(s)||tell(t = s)]],c,di) 

^~Var{Q[C[pis) \\ tell(t=~5)]]x)'^ = ^ - Var{Q[C[pis) \\ tell(t=S)]]x)'^l ' 

By (9), Wt(C|[C[B || tell(t = s)]],c, d') < n. Furthermore, by hypothesis and con- 
struction, 

Var(c', d')n Var{f) C Var(C|[C[p(t)]], c) 

and, without loss of generality, we can assume that 

yar(di) n Var{f) C Var(C|[C[p(t)]], c). 

Then, by (10) and since yar(C|[C[p(t)]], c) C Var(C|[C[p(s) || tell(t = s)]],c), we 
have that J-var(c,lq{r)].iz)'i' = 3-yar(Ci[q(r)],c)c' and this completes the proof. 
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Folding: Let 

- cl : q(r) ^- C[B] be the folded declaration (g Dj), 

- f : p(X) ^ B be the folding declaration (g Dq), 

- cl' : q(r) ^- C[p(X)] be the result of the folding operation (g Di+i), 

where, by hypothesis, Var(cl) n Var(X) C Var{B), Var{B) n Var{fX) ^ Var{X), 
Var(C[B],C[p(X)])n Var{Q,c) C Var(r), Var(c') D Var(r) C Var {Q[C[B]],c) and 
there exists n such that Wt(Ci[C[B]], c, c') = n. Then, 

Var(B) n Var{Q[C[ ]],c) C Var(B) n Var(r, C) C Var{X) (11) 

and 

Var{c') n Var(r) C Var {Q[C[B]],c) n Var(r) C Var{Q[C[p{X)]],c) (12) 

hold. Moreover, we can assume without loss of generality that Var{c') D Var{X) C 

Var(Ci[C[B]],c). 

Since f G Dq, from (11) and Point 2 of Lemma 4.11 it follows that there exists a 

constraint d' such that Wt(C|[C[p(X)]],c,d') < Wt(C|[C[B]],c,c') and 

3-yar(C,[C[p(X)]]x)<^' = ^-VariQ[C[p(X)]],cf'- ^^^^ 

We can assume, without loss of generality, that Var(d') C yar(C|[C[p(X)]],c). Then 
by using (12) and (13) we obtain that 3_ v'ar(Ci[q(r)],c)d' = 3_ v'ar(Ci[q(r)],c)c' which 
concludes the proof of a) . 

b). Assume that the parts 1 and 2 of this Lemma hold for « > 0. We prove that 
1 holds for I + 1 > 0. 

Let cl : q(r) ^ H G Dj+i, and let cl : q(r) ^- H be the corresponding declaration 
in Dj. Moreover let C|[ ] be a context, c a satisfiable constraint and let c' be a 
constraint, such that yar(H) n Var{C\,c) C Var(r) and Wt(C|[q(r)], c, c') is defined. 
Without loss of generality, we can assume that Var {\-\)r\ Var {C\,c) C Var(r). Then, 
since by inductive hypothesis, part 1 holds for i, there exists a constraint di such 
that Var{di) C Var{Q[H],c), 

Wt(C|[H],c,di) < Wt(C|[q(r)], c,c') and 3-yar(c,[q(r)],c)di = ^-Var(Q[q(7)].c)'^' ■ (14) 

Since by inductive hypothesis part 2 holds for i, there exists a constraint d', such 
that Var{d') C Var(C|[H],c), Wt(C|[H],c,d') < Wt(C|[H], c, di) and 3_ v-ar(Ci[q(r)]x)d' = 
3-yar(C,[q(f)],c)di. By (14), Wt (C| [H] , c, d') < Wt(C|[q(r)], c, c') and 3_ya^(c,[q(f)],c)d' == 
3-i/ar(Ci[q(f)],c)c' and then the thesis follows. D 

We finally obtain our first main theorem. 

Theorem 4.13 (Total Correctness). Let Do, . . . , D^ be a transformation se- 
quence. Then, for any agent A, ©(Dq.A) — O(Dn.A). 

Proof. (Sketch). The proof proceeds by showing simultaneously, by induction 
on i, that for i G [0,n]: 

(1) for any agent A, ©(Dq.A) == 0{D;.A); 

(2) Dj is weight complete. 

Base case. We just need to prove that Dq is weight complete. Assume that there 
exists a derivation (Dq.A, C|) -^* (Do.B,cf), where C| is a satisfiable constraint and 
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m(B,CF) e {ss,dd,fF}. Then there exists a derivation ^ : (Do.A,C|) -^* (Do.B',Cp), 
such that m(B',Cp) — m(B, cp), whose weight is minimal and where =i-var{A,c,)'^'F = 
3-i/ar(A,ci)CF- It foUows from Definition 4.7 that ^ is a spfit derivation. 

Induction step. 

By the inductive hypothesis for any agent A, O(Do.A) = 0(Di_i.A) and Di_i is 
weight complete. From propositions 4.5 and 4.9 it follows that if Dj is weight 
complete then for any agent A, 0(Do.A) = 0(0;. A). So, in order to prove parts 1 
and 2, we only have to show that D; is weight complete. 

Assume then that there exists a derivation (Dq.A, ci} -^* (Dq.B, cp) such that c\ 
is a satisfiable constraint and m(B, cp) £ {ss, dd, fF}. From the inductive hypothesis 
it follows that there exists a split derivation 

X = (Di_i.A,C|} ^* (Di_i.A,,c,) ^ (Do.A,+i,c^+i) ^* (Do.B",c'p') 
where 

3-yar(Ax,)CF = 3_ yar(A,c,)CF and m(B",c'p') = m(B,CF). (15) 

Let d G Di_i\Di be the modified clause in the transformation step from Di_i to D;. 
If in the first m steps of x there is no procedure call which uses d then clearly 
there exists a split derivation ^ in Dj U Do, 

e - (Di.A,C|) ^* (Di.A^,c^) ^ (Do.A^+i,c^+i) ^* (Do.B",c'f') 

which performs the same steps of x and then the thesis holds. 

Otherwise, assume without loss of generality that R4 is the rule used in the first 
step of derivation x and that d is the clause employed in the first step of x- We 
also assume that the declaration d is used only once in x, since the extension to 
the general case is immediate. 

We have to distinguish various cases according to what happens to the clause d 
when moving from Di_i to D;. As before, we consider here only the unfolding and 
the folding cases, the others being deferred to the Appendix. 

Unfolding: Assume that d is unfolded and let d' be the corresponding declaration 
in D;. The situation is the following: 

-d: q(r)^C[p(t)]eDi_i, 

- u : p(s) ^ H G Di_i, and 

-d' : q(r)^C[H || tell(t = s)] G D,, 
where d and u are assumed to be renamed apart. By the definition of split deriva- 
tion, X lias the form 

(Di_i.Ci[q(v)],c|) ^ (Di_i.Ci[C[p(t)] II tell(v = r)],ci) ^* (Di_i.A^,c^) ^ 
(Do.A^+i,c^+i)^*(Do.B",c'p'). 

Without loss of generality, we can assume that Var{x) n Var{u) ^ if and only if 
p(t) is evaluated in the first m steps of Xi in which case u is used for evaluating it. 
We have to distinguish two cases. 

1) There exists k < m such that the fc-th derivation step of x is the procedure 
call p(t). In this case x has the form 

(Di_i.C|[q(v)], ci) ^ (Di_i.C|[C[p(t)] II tell(v = ?)], q) ^* (Di_i.Ck[p(t)], Ck) ^ 
(Di_i.Ck[H II tell(t = s)],Ck) ^* (Di_i.A^,c,) ^ (Do.A^+i,c^+i) ^* (Do.B",c'p'). 
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Then there exists a corresponding derivation in Dj U Dq 

e= (Di.Ci[q(v)],C|)^(Di.Ci[C[H ||tell(t = s)] || tell(v = r)],C|) ^* 

(Di.Ck[H ||tell(t = s)],Ck) -^* (Di.A^,c^) ^ (Do.A„+i,c„+i) -^* (Do.B",c'p'), 

which performs exactly the same steps of x except for a procedure call to p(t). In 
this case the proof follows by observing that, since by the inductive hypothesis x 
is a split derivation, the same holds for ^. 

2) There is no procedure call to p(t) in the first m steps. Therefore x li^s the 
form 

(Di_i.Ci[q(v)],c|) ^ (Di_i.Ci[C[p(t)] II tell(v= r)],ci) -^* (Di_i.C„[p(t)], c^) ^ 
(Do.C^+i[p(t)],c^)^*(Do.B",c'p'). 

Then, by the definition of Dj, there exists a derivation 

Co = (Di.C|[q(v)],c,) ^ (Di.C,[C[H II tell(t = s)] |1 tell(v = ?)],€,) ^* 
(Di.C^IH II tell(t = s)],c^) ^ (Do.U+i[H || tell(t = 1)], c^). 

Observe that from the derivation (Do.Cm+i[p(t)], Cm) -^* (Do.B",Cp) and (15) it 
follows that 

Wt(Cm+i[p(t)],Cm,Cp) is defined, where t == m(B, cp). (16) 

The hypothesis on the variables implies that Var(Cm+i[p(t)],Cm) fl Var{u) = 0. 
Then, by the definition of transformation sequence and since u G Di_i, there exists 
a declaration p(s) ^ Hq G Dq. By Lemma 4.10 and part 1 of Lemma 4.12 it follows 
that there exists a constraint dp such that 

wt(C^+i[H II tell(t = s)],Cn,,dF) < wt(Cni+i[p(t)],c^,c'F') (17) 

and 

3-yar(Cm+i[p(t)]x„)'^F = 3_ ^^^(Cm+i [p(t)] ,Cn,)'^F • (18) 

Therefore, by the definition of Wt, by (17) and since Wt(Cm+i[p(t)], Cm, Cp) is defined, 
there exists a derivation 

6 = (Do.C^+i[H II tell(t = i)], c^) ^* (Do.B', c'p), 

^here ^_y^,^c^^^[„ || tell(t=s)]x.)^F = ^-VariC^^,[H \\ tell(t=s)],c.)dF ^^^d, by (16), 

m(B',c'F) = m(B,CF). (19) 

By (18) 

3-yar(C„,+i,c„,)CF = ^-Var{C^+i,c„)'^F (20) 

holds and, by definition of weight, we obtain 

Wt(C,^+i[H |ltell(t = s)],c^,c'p)=Wt(C^+i[H || tell(t = s)],c^, dp). (21) 

Moreover, we can assume without loss of generality that Var(^o) H Var{(^i) = 
Var(Cm+i[H || tell(t = s)], Cm). Then, by the definition of procedure call 

yar(C|[q(v)],C|) n ( Var(c'p) U Var(c'p')) C Var(U+i,c^) (22) 
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and there exists a derivation 

e = (Di.C|[q(v)],C|) ^ (Di.C|[C[H II tell(t = s)] |I tell(v = r)],C|) ^* 

(Di.C^IH II tell(t = s)],c^) ^ (Do.U+i[H || tell(t = i)],c^) ^* (Do.B',c'f) 

such that the first m — 1 derivation steps do not use rule R2 and the ?Ti-th derivation 
step uses the rule R2. Now, we have the following equalities 

3-yar(Ci[q(v)],ci)CF = (by (22) and by construction) 

3-yar(Ci[q(v)]xi)(Cm A 3_yar(Cm+l,Cm)4) = (by(20)) 

3-yar(c,[q(v)]x,)(cm A 3- var{C^+i,c^)Cf) = (by (22) and by construction) 
3-i/ar(Ci[q(v)].ci)CF — (^y the first statement in (15)) 

3-yar(Ci[q(v)]xi)CF- 

By the definition of weight, Wt(C|[q(v)],C|,Cp) = Wt(C|[q(v)], C|,Cp), by (21) and (17), 

Wt(Cm + l[H II tell(t = s)],Cm,c'p) < Wt(Cm + l[p(t)],Cni,c'p') andwt(Cm + i[p(t)],Cm,Cp) < 

wt(Ci[q(v)],C|,Cp), since x is a split derivation. Therefore wt(Cm+i[H || tell(t = 
s)],Cm,Cp) < wt(Ci[q(v)], C|, Cp) and then, by definition, ^ is a split derivation in 
Dj U Dq. This, together with (19), implies the thesis. 

Folding: Assume that d is folded and let 

- d : q(r) ^- C[H] be the folded declaration (g Di_i), 

- f : p(X) ^ H be the folding declaration (g Dq), 

- d' : q(r) ^- C[p(X)] be the result of the folding operation (g D;), 

where, by definition of folding, Var{d) n Var{X) C Var(H) and Var(H) n {Var{r) U 
Var(C)) C Var{X). Since C[ ] is a guarding context, the agent H in C[H] appears 
in the scope of an ask guard. By definition of split derivation x has the form 

(Di_i.C|[q(v)],C|) ^ (Di_i.C|[C[H] II tell(v = r)],C|) ^* (Di_i.C^[H],c^) ^ 
(Do.C^+i[H],c^)^*(Do.B",c'p'), 

where Cm[ ] is a guarding context. Without loss of generality we can assume that 
Var{x) n Var{yC) C Var{\-\). Then, from the definition of D; it follows that there 
exists a derivation 

Co = (Di.C|[q(v)],C|) ^ (Di.C|[C[p(X)] II tell(v = r)],C|) ^* 
(Di.U[p(X)],c^) ^ (Do.U+i[p(X)],c^), 

which performs exactly the first m steps as X. Since (Do.Cm+i[H], Cm) -^* (Do.B",Cp), 
the definition of weight implies that wt(Cm+i[H], Cm,Cp) is defined, where t = 
m(B",c'p'). Then, by (15), we have that 

t = m(B,CF). (23) 

The definitions of derivation and folding imply that yar(H) n Var(Cm+i,Cm) ^ 
Var(H) n ( Var{C, ?)) C Var{X) holds. Moreover, from the assumptions on the vari- 
ables, we obtain that Var{Cf)riVar{X) C Var(H). Thus, from part 2 of Lemma 4.11 
it follows that there exists a constraint d' such that 

Wt(C^+i[p(X)],c^,d') < Wt(U+i[H],c^,c'p') and (24) 

3-V'ar(C„,+ i[p(X)],c„,)d' = ^~Var {C^+,[p{X)lc^fF ■ (25) 

^From the definition of weight and the fact that Wt(Cm+i[H], Cm, Cp) is defined it fol- 
lows that there exists a derivation ^i ~ (Do.Cm+i[p(X)], Cm) -^* (Do.B',Cp), where 
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m(B',c'p) = t and ^.variC^+,lp(x)].c^fF = 3_yar(u+i[p(x)],c^)d'- Then, by the def- 
inition of weight, Wt(Cm+i[p(X)],Cm,Cp) = Wt(Cm+i[p(X)],Cm,d') and therefore, by 
(24) and (25), 

3-V'ar(C„,+i[p(X)],c^)^F = ^- VariC^+i[p{X)],c^fF ^nd (26) 

Wt(U+i[p(X)],c^,c'F) < Wt(U+i[H],c^,c'F') (27) 

hold. Moreover, from (23) wc obtain 

m(B',c'F) = m(B,CF). (28) 

Without loss of generality, we can now assume that 

Var{^o)n Vari^i) ^ Var(C^+i[p(X)], c,) 
. Then, by (26), (27) and (15) it follows that 

3-Var(C|[q(v)],C|)CF = 3_ yar(C| [q(v)]xi) (Cm A ^- VariC^+ilp{X)],c^)'^F) ^ 

3-Var(C|[q(v)],C|)(Cm A ^-Var(C^+i[p(X)],c^)'^F) = 

3-Var(C|[q(v)],C|)CF = 3_ yar(C| [q(v)] ,C|)CF- (29) 

^From the definition of weight Wt(C|[q(v)], C|, Cp) = Wt(C|[q(v)],C|,CF) and since x 
is a split derivation we obtain Wt(C|[q(v)],C|,CF) > Wt(Cm+i[H], CmjCp). Then, from 

(29) it follows that 

Wt(C|[q(v)],C|,CF) > Wt(Cm+i[p(X)],Cm,CF) (30) 

and therefore, by construction, 

C = (Di.C|[q(v)],C|) ^ (Di.C|[C[p(X)] II tell(v = r)],ci) ^* (Di.C^[p(X)], c^) ^ 
(Do.U+i[p(X)],c^)^*(Do.B',c'f) 

is a derivation in Dj U Dq such that: (a) rule R2 is not used in the first to — 1 steps; 
(b) rule R2 is used in the m-th step. The thesis then follows from (29), (28) and 

(30) thus concluding the proof. D 

It is important to notice that - given the definition of observables we are adopt- 
ing (Definition 4.1) - the initial program Dq and the final one Dp have exactly the 
same successful derivations, the same deadlocked derivations and the same failed 
derivations. The first feature (regarding successful derivations) is to some extent 
the one we expect and require from a transformation, because it corresponds to the 
intuition that Dn "produces the same results" as Dq. Nevertheless, also the sec- 
ond feature (preservation of deadlock derivations) has an important role. Firstly, 
it ensures that the transformation does not introduce deadlock points, which is of 
crucial importance when we are using the transformation for optimizing a program. 
Secondly, as exemplified in the Section 6, this feature allows us to use the transfor- 
mation as a tool for proving deadlock freeness (i.e., absence of deadlock). In fact, 
if, after the transformation we can prove or see that the process Dp. A does never 
deadlock, then we are also sure that Dq.A does not deadlock either. 
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5. CORRECTNESS FOR NON-TERMINATING COMPUTATIONS 

The correctness results obtained so far consider terminating (successful and dead- 
locked) and failed computations only. This is satisfactory for many applications 
of concurrent constraint programming which have a "transformational" behaviour, 
i.e. which are supposed to produce a (finite) output for a given (finite) input. In 
this respect, it is worth noting that the two main semantic models of CCP con- 
sider essentially the same notion of obscrvables we used. In fact, the model based 
on linear sequences defined in [de Boer and Palamidessi 1991] characterizes (in a 
fully abstract way) the results of terminating computations, together with a ter- 
mination mode indicating success, deadlock or failure^. Such a model has been 
proved ([de Boer and Palamidessi 1992]) to be isomorphic to the semantics based 
on (bounded) closure operators introduced in [Saraswat et al. 1991], provided that 
the termination mode and the consistency checks are eliminated. 

So, our correctness results are adequate in the sense that they ensure that the 
standard semantics of CCP is preserved. On the other hand, as in the case of any 
other concurrent programming paradigm, CCP programs may have a "reactive" na- 
ture: rather than producing a final result they produce a (possibly non-terminating) 
sequence of intermediate results in response to some external stimuli. For these pro- 
grams the notion of observables employed in Theorem 4.13 and the related results 
are not adequate, since they exclude non-terminating computations. 

When considering non-terminating computations one is interested in observing 
(possibly in terms of traces) the intermediate results, that is the constraints pro- 
duced also by non-maximal derivations, rather than the final limit of the compu- 
tation (note however that in CCP such a notion of limit makes sense, as the store 
grows monotonically). Therefore, in the remainder of this section we first discuss 
the correctness of our system w.r.t. this new class of observables. Then, we show 
a modification of our transformation system and we present a stronger correctness 
result, which guarantees that (traces of) intermediate results are preserved. 

5.1 Partial preservation of intermediate results 

It is easy to see that the system we have proposed does not preserve the intermediate 
results of computations. More precisely, let us define these observables as follows: 

0\{D.A) = {(c, 3_ var(A,c)d, pp) | c and d are satisfiable, and there exists 

a derivation (D.A,c) -^* (D.B,d) } 

(the symbol pp indicates here that we consider results obtained from "partial" , that 
is, possibly not maximal, derivations). Now, it is easy to see that the operations 
of ask and tell simplification are neither partially nor totally correct w.r.t. the 
semantics 0\{D.A). In fact, the ask simplification allows one to transform the agent 

A: tell(c) 11 ask(true) ^ tell(d) 



® There are irrelevant differences between the observables considered in [de Boer and Palamidessi 
1991] and the ones we used, due to the treatment of failure and to the existential quantification 
on local variables. 
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into the agent 

A' : tell(c) II ask(c) ^ tell(d). 

While the agent A, when evaluated in the empty store, produces the intermediate 
result d, this is not the case for the agent A' (we assume that cAd ^ d). Analogously, 
assuming that 2? |= d ^ c and T> |= d ^ c', the tell simplification allows one to 
transform 

B : tell(c) II tell(d) 

into the agent 

B' : tell(c') II tell(d) 

and the agents B and B' have different intermediate results. Other operations 
which are not correct w.r.t. the above semantics are the distribution and the tell 
elimination and introduction. 

Nevertheless, the system we have defined does preserve already a form of inter- 
mediate results. This is shown by the following theorem. 

Theorem 5.1 (Total Correctness 2). Let Do,...,Dn he a transformation 
sequence, and A be an agent. 

— If there exists a derivation (Dq.A, c) -^* (Do.B,d) then there exists a derivation 

(Dn.A,c) ^* (Dn.B',d') such thatV^ 3_Var(A,c)d' ^ 3_Var(Ax)d. 

— Conversely, if there exists a derivation (Dn.A,c) -^* (D^.B, d) then there exists a 
derivation (Dq.A, c) -^* (Do.B',d') with T) \= 3_var(A,c)d' -^ 3_var(A,c)d. 

Proof. The proof of this result is essentially the same as that one of the total 
correctness Theorem 4.13 provided that in such a proof, as well as in the proofs of 
the related preliminary results, we perform the following changes: 

(1) Rather than considering terminating derivations, we consider any (possibly 
non-maximal) finite derivation. 

(2) Whenever in a proof we write that, given a derivation ^, a derivation ^' is 
constructed which performs the same steps ^ does, possibly in a different order, 
we now write that a derivation S," is constructed which performs the same step 
of ^ (possibly in a different order) plus some other additional steps. Since 
the store grows monotonically in CCP derivations, clearly if a constraint c is 
the result of the derivation ^, then a constraint c" is the result of S," such 
that P 1= c" — > c holds. For example, for case 2 in the proof of Proposition 
4.5, when considering a (non-maximal) derivation ^ which uses the declaration 
H ^ C[tell(s = t)] II B] we can always construct a derivation ^" which performs 
all the steps of ^ (possibly plus others) and such that the tell(s = t) agent is 
evaluated before B. Differently from the previous proof, now we arc not ensured 
that the result of S, is the same as that one of ^", since S, is non-maximal (thus, 
^ could also avoid the evaluation of tell(s = t)). However, we are ensured that 
the result of ^" is stronger (i.e. implies) that one of ^. 

D 
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This result ensures that the original and the transformed program have the same 
intermediate results up to logical implication: If the evaluation of an agent in 
the original program produces a constraint d, then a constraint stronger than d is 
produced in the transformed program and vice versa. The vice versa is important, 
as it ensures that the transformed program will never produce something that could 
not be produced by the original program, up to implication. Clearly, this result is 
relevant in presence of non-terminating computations (which were not covered by 
Theorem 4.13). 

In order to maintain a consistent notation throughout the paper, the above result 
can be reformulated in terms of the following class of observables 

Cic(D.A) = {(c, 3_yar(A.c)d, pp) | c is satisfiablc, thcrc cxists a derivation 

(D.A,c) ^* (D.B,d') 

and 2? ^ EI_V'ar(Ax)d' ^ 3_yar(A,c)d } 

where the subscript ic stands for implication closure (of intermediate results). We 
then have following Corollary whose proof is immediate. 

Corollary 5.2. Let Do, . . . , Dp be a transformation sequence. Then, for any 
agent A, C'ic(Do.A) =Oic{D„.A). 

This result guarantees a degree of correctness which should be sufficient for many 
reactive programs employing non-terminating computations. In fact, when trans- 
forming a program, probably one should not expect to be able to preserve exactly 
each intermediate result the original program was producing. 

Nevertheless, it is of interest to check if it is possible to modify the system in 
order to obtain stronger correctness results. We do this in the following section. 

5.2 Full preservation of intermediate results 

In this section we introduce a few restrictions on our transformation system and we 
prove that they guarantee the preservation of the whole sequence of intermediate 
results of a program. 

As previously mentioned, the only operations not preserving the intermediate 
results are the ask and tell simplification, the distribution and the tell elimination 
and introduction. As it possibly appears from the example above, the problem using 
the ask and tell simplification lies in the fact that one can modify the arguments 
of ask and tell agents by taking into account (via the "produced constraint" ) also 
the constraints introduced by tell actions appearing in the parallel context (see 
Definitions 3.4 and 3.6). This clearly can affect the intermediate results of the 
computations, since no order is imposed on the evaluation of parallel agents. This 
reasoning applies to the distribution operation as well. 

We have then to modify the ask and tell simplification and the distribution by 
considering a weaker notion of "produced constraint" , which includes only those 
constraints which have certainly been produced before reaching the ask or tell agent 
we are simplifying. Such a notion is defined as follows. 

Definition 5.3. Given a context C[ ] the weakest produced constraint wpc(C[ ]) 
of C[ ] is inductively defined as follows: 
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wpc([ ]) = true 

wpc(C'm|B)=wpc(C'[]) 

wpc(^"^j^ ask(ci) -^ Aj) = Cj A wpc(C'[ ]) where j e [1, n] and Aj = C'[ ]. 

For example, the weakest produced constraint of [ ] || tell(c) is true, while the 
weakest produced constraint of tell(c) || ask(d) -^ (ask(e) ^ [ ]) is d A e. We can 
then define the weak equivalence of two constraints within a given context C[ ] as 
follows. 

Definition 5.4. Let c, c' be constraints, C[ ] be a context, and Z be a set of 
variables. We say that c is weakly equivalent to d within C[ ] and w.r.t. the 
variables in Z iS V \= 3_^ (wpc(C[ ]) A c) ^ 3_^ (wpc(C[ ]) A c'). 

Using this definition we can modify the operations of ask and tell simplification 
and of distribution by simply replacing the context equivalence used in Definition 
3.6 with the above notion of weak context equivalence. For the sake of clarity we 
state below the resulting definitions. 

Definition 5.5 (RESTRICTED Ask and Tell Simplification). Let D be a set 
of declarations. 

(1) Let d : H ^ ^[^"^j^ ask(ci) -^ A;] be a declaration of D. Suppose that c[, . . . , c'„ 
are constraints such that for j G [1,?^], c[ is weakly equivalent to Cj within 
C[ ] and w.r.t. the variables in Var(C,H,Aj). Then we can replace d with 
d' : H ^ C[^"^j^ ask(c[) -^ A;] in D. We call this a restricted ask simplification 
operation. 

(2) Let d : H ^ C[tell(c)] be a declaration of D. Suppose that the constraint c' is 
weakly equivalent to c within C[ ] and w.r.t. the variables in Var(C, H). Then 
we can replace d with d' : H ^ C[tell(c')] in D. We call this a restricted tell 
simplification operation. 

Definition 5.6 (RESTRICTED Distribution). Let D be a set of declarations and 
let 

d : H^C[A|| ^;Liask(ci)^Bi] 

be a declaration in D. Let also e = wpc(C[ ]). The restricted distribution of A in d 
yields the definition 

d': H^CE-:Liask(ci)^(A||Bi)] 

provided that for every constraint c such that Var(c) n Var(d) C Var{H,C), if 
(D.A, c A e) is productive then both the following conditions hold: 

(a) There exists at least one i G [l,n] such that 2? |= (c A e) ^ Cj, 

(b) for each i G [l,n], either 23 ^ (c A e) ^ Cj or 2? |= (c A e) ^ -iCj. 

Remark 3.12 is also sufficient for guaranteeing that the restricted distribution 
operation is applicable. Thus we have the following. 

Remark 5.7. Referring to Definition 5.6. If A requires a variables which does not 
occur in H, C[ ], then the restricted distribution operation is applicable. 
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Also the tell elimination and the tell introduction operations do not preserve the 
intermediate results of computations. This is not due to the presence of the produced 
constraint, but rather to the very nature of the operation which can eliminate or 
introduce constraints which, via the local variables, can (temporarily) affect also 
the values of global variables. For example, the declaration 

d : p(Y)^tell(Z = a) II tell(Y = f(Z)) 

can be transformed via a tell elimination into 

d' : p(Y)^tell(Y = f(a)) 

The evaluation of p(Y) in the empty store and using d produces the (intermediate) 
result Y = f(Z), while this is not the case if one uses the declaration d'. We can 
solve this problem by simply requiring that if we eliminate a tell by applying the 
resulting substitution to the parallel context B, then B does not contain any variable 
appearing the head or in the outer context. Thus we have the following. 

Definition 5.8 (Restricted Tell Elimination and Tell Introduction). 
The declaration 

d: H^C[tell(s = t) II B] 

can be transformed via a restricted tell elimination into 

d' : H ^ C[Bcr] 

where cr is a relevant most general unifier of s and t, provided that the variables in 
the domain of cr do not occur neither in C[ ] nor in H, and that Var(B) fl Var(H, C) = 
0. Again, this operation is applicable either when the computational domain admits 
a most general unifier, or when s and t are sequence of distinct variables, in which 
case a is simply a renaming. On the other hand, the declaration 

d : H ^ C[Bcr] 

can be transformed via a restricted tell introduction into 

d' : H^C[tell(X = Xcr) |t B] 

provided that cr is a substitution such that X = Dom{a) and Dom{a) n ( Var{C[ ], H)U 
Ran{a)) = 0, and that Var{B) n Var{H, C) = 0. 

At this point it is worth recalling that the tell elimination is often used for 
making variable bindings explicit after an unfolding operation: In fact we start 
from a definition of the form d : H ^ C[p("t)] and by unfolding p(t) we end with 
d' : H ^ C[B II tell(t = s)] (provided that p is defined by u : p(s) ^ B). Then we 
want to eliminate tell(t = s) from d' in order to perform the "parameter passing". 
Since d and u are always renamed apart, clearly the additional condition of the 
restricted tell elimination (Var(B) n Var(H,C) = 0) is always satisfied here. So, in 
general, this operation is applicable every time that t is an instance of s. 

We can finally define the restricted transformation system as follows. 

Definition 5.9. A restricted transformation sequence is a sequence of programs 
Do, . . . , Dp in which Dq is a initial program and each Di+i is obtained from Dj 
via one of the following operations: unfolding, backward instantiation, restricted 
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tell elimination, restricted tell introduction, restricted ask and tell simplification, 
branch elimination, conservative ask elimination, restricted distribution and folding. 

Clearly, the restricted transformation operations arc applicable in fcwcr situations 
than their non-restricted counterparts, yet they are useful in many cases. Example 
6.1 shows a case of an unfold- fold transformation sequence using only restricted 
operations and the other examples contain several occurrences of them. We now 
prove that the restricted system is correct w.r.t. the trace semantics of CCP. Here 
and in the following we denote by ci; C2; . . . ; €„ a sequence of constraints, also called 
trace. 

Definition 5.10 (Traces). Let D.A be a CCP process. We define e't(D.A) == 

{(ci; C2; . . . ; Cn, ss) | there exists a derivation 

(D.A, di) ^ (D.A2, d2) ^ . . . ^ (D.Stop, dn) 
di is satisfiablc for each i G [1, n], 

3-Var(A,ci)dj for cach j e [2, n]} 





Ci = di and Cj 


u 




{(ci;c2;.. 


. ; Cn, dd) there exists a 



derivation 

(D.A, di> ^ (D.A2, d2) ^ . . . ^ (D.An, dn) /> 

An 7^ Stop, d; is satisfiable for each i S [1, n], 
Ci = di and Cj = ^-var(A,ci)^i for each j e [2, n]} 

U 

{(ci; C2; . . . ; Cn, pp) I there exists a derivation 

(D.A, dl) ^ (D.A2, d2) ^ . . . ^ (D.An, dn) 

di is satisfiable for each i G [1, n], 

Ci = dl and Cj = 3_ var(A.ci)dj for each j G [2, n]} 

U 

{(ci; C2; . . . ; Cn, ff) I there exists a derivation 

(D.A, dl) ^ (D.A2, d2) ^ . . . ^ (D.An, dn) /> 

di is satisfiablc for cach i G [1, n — 1], dn = false 
Ci = dl and Cj = 3-var{A.ci)dj for each j G [2, n].} 

Thus what wc observe arc the finite traces consisting of the constraints produced by 
any (possibly non-terminating) derivation. As before, we abstract from the values 
for the local variables in the results, and we make distinction between the successful 
traces (termination mode ss), the deadlocked ones (dd), the partial (i.e. possibly 
non maximal) traces (pp) and the failed ones (ff). Note that, due to the monotonic 
computational model of CCP which does not allow us to retract information from 
the global store, the traces we observe are monotonically increasing. That is, given 
a trace ci; C2; . • . ; Cn appearing in the observables, we have that P ^ c; ^ Cj for 
each i, j G [l,n] such that i > j. Before giving the correctness result, we need one 
last definition. 

Definition 5.11. We say that a trace ci; C2; . . . ; Cn is simulated by a trace 
di; d2; . . . ; dm, notation ci; C2; . . . ; Cn ^ di; d2; . . . ; dm, iff there exists 
{ji, . . . in} C {1, 2, . . . ,m} such that 

(1) c; = djj for cach i G [l,n]; 

(2) ji = 1, jn = m and jj < jk iS i < k. 
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So, a trace s is simulated by a trace s' iff they have the same first and last element 
and, all components appearing in s appear, in the same order, in s' . 

We can now state our strongest correctness result. Its proof, contained in the 
Appendix, follows the guidelines of that one of Theorem 4.13. In fact, the defini- 
tions of mode, weight, split derivation and weight complete program can readily 
be extended to consider traces and weakest produced constraints, rather than in- 
put/output pairs and produced constraints. Then it is easy to extend all the tech- 
nical lemmata needed for Theorem 4.13 in order to obtain the preliminary results 
needed in the proof of the following. 

Theorem 5.12 (Strong Total Correctness). Let Dq, . . . , Dn be a restricted 
transformation sequence, and A be an agent. 

— //(s, x) e C't(Do.A) (with x e {ss, dd, pp,fF}J then there exists (s',x) G OtlDp.A) 

such that s ^ s'. 
— Conversely, i/ (s, x) G C't(Dn.A) then there exists (s',x) G Ot{Do.A.) such that 

s ^ s'. 

As it results from the definition of ^, we do not have exactly the equality of 
traces since in some traces we might introduce some intermediate steps. However, 
notice that these additional steps do not introduce new values, rather they can 
be seen as different "approximation" to obtain a given constraint, since we con- 
sider here monotonically increasing traces. This can best be explained by means 
of an example. Consider the following one-line program Dq: p(Y) ^tell(X = 
f(a,W)) II tell(X = f(Z,b)) || tell(X = Y). Its trace semantics C't(Do.p(Y)) contains 
(t, ss), where t is the trace (true; true; true; Y = f(a,b)). If we apply here a 
restricted tell evaluation to tell(X = Y) we obtain the program Di: p(Y) ^- tell(Y 
= f(a,W)) II tell(Y = f(Z,b)). Now, Ot(Di.p(Y)) does not contain t: one cannot 
obtain Y = f(a, b) from true in one step. On the other hand, C't(Di.p(Y)) contains 
((true; 3wY = f(a,W); Y = f(a, b)), ss) and ((true; 3zY = f(Z,b); Y = f(a,b)), ss) 
and both the two traces appearing in these pairs simulate t. Notice also that the 
intermediate results semantics is now preserved. In fact, the following is an imme- 
diate consequence of Theorem 5.12. 

Corollary 5.13. Let Do,...,Dn be a restricted transformation sequence, and 
A be an agent. Then Ci(Do.A) := Oi(Dn.A). 

5.3 Preservation of infinite traces 

It is worth noting that Theorem 5.12 can be extended to consider also infinite 
traces, as we show below. 

In the following we indicate by |si| the length of a trace s; and we say that a 
configuration (D.A, ci) produces the trace Ci; C2; . . . ; Cn iff there exists a derivation 
(D.A, di) -^ (D.A2,d2) -^ . . . ^ (D.An,dn) such that Ci = di and Cj = ^^var{A.ci)'ii 
for each j G [2, n]. This notion can be extended to consider infinite computations 
(and infinite traces) in the obvious way. We also call an infinite trace ci ; C2 . . . 
"active" iff, for any i > 1, there exists j > i such that I? ^ -1(0; ^ Cj) (on the other 
hand, the implication V \= {c^ ~> c\) holds for any j > i when considering traces 
produced by CCP derivations, since they are monotonically increasing). So, an 
active trace is that one produced by a computation which continuously updates the 
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store by adding new constraints. Clearly, when considering infinite computations, 
one is interested mainly in those producing active traces, as the others are essentially 
pure loops which stop producing new results after a finite number of steps. 

The essential result we use for extending Theorem 5.12 to infinite traces is the 
following: If a CCP configuration can produce all the finite prefixes of an infinite 
trace, then it can produce the infinite trace itself. The following Lemma contains 
a slightly stronger version of it. With a minor abuse of notation, in the following 
we denote by ; also the operator which concatenates traces. Thus, if s; are traces 
and Cj are constraints, for i G [1, n], then Ci; Si; C2; S2 . . . ; Sp_i; Cp denotes the trace 
obtained by concatenating the Sj e C\ in the obvious way. 

Lemma 5.14. Let D.A be a CCP process and cq be a constraint. Assume that 
(D.A, Co) produces the (infinitely many) finite traces 

Co 

co;si^i;ci 

Co;S2,i;Ci;S2^2;C2 
Co;S3,i;Ci;S3_2;C2;S33;C3 



where the Co,Ci,C2 . . . are different constraints (i.e. for any i, V \^ ->{€; -^ Ci+i)^ 
and the Sjj are (finite) sub-traces such that, for each j > 1, the (infinite) set con- 
taining the lengths {|sij|, |s2j|, |s3j|, . . .} admits a (finite) maximal element. Then 
(D.A, Co) produces also the infinite trace Co; Si; Ci; S2; C2; S3; C3; . . . where, for each 
j ^ 1; Sj — Si.j for some i > 1. 

Proof. The proof uses the Koenig Lemma and the fact that the transition 
system defining the CCP operational semantics is finitely branching. 

Let us denote by rrij the maximal element appearing in the set ({ |si.j | , |s2,j | , |s3.j | , . . .}, 
for each j > 1, that is, rrij is the maximal length of the sub-traces Sjj for a fixed 
j and i — 1,2,.... We now construct a tree T representing the (infinitely many) 
finite traces 

Co 

co;si,i;ci 

Co;S2,i;Ci;S2,2;C2 
Co;S3,i;Ci;S3_2;C2;S33;C3 



produced by (D.A, co). The nodes of the tree T are labeled by configurations of the 
form (D.B, Cj), for some i, and the edges are labeled by the sub-traces Si.j. More 
precisely, the tree T is defined inductively as follows: 

(Base step). The root (level 0) of T is labeled by (D.A,co). For each derivation 
of the form (D.A, co) — >* (D.Aj.i, ci) which performs at most mi + 1 transition steps 
and which produces the trace co; Sj^i we add a son N of the root (at level 1) labeled 
by (D.Aj.ijCi) and an edge, labeled by Sj^i, connecting the root and N. 

(Inductive step). Assume that T has depth n — 1 and let (D.Ai^n_i, Cp_i) be a 
configuration labeling a node N at level n — 1. For each derivation of the form 
(D.Ai^p_i, Cp_i) -^* (D.Aj^rijCn) which performs at most rrip + 1 transition steps 
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we add a son N' of N labeled by (D.Ai,p,Cp} and we add an edge labeled by Si^p, 
connecting N and N'. 

Note that the number of the configurations (D.Ai^n,Cn) obtained in this way is 
finite, since we allow at most m,, + 1 transition steps. Therefore we construct a 
finitely branching tree. 

On the other hand, such a tree contains infinitely many nodes, as it contains 
all the (different) constraints c; with i > 1. Then, from the Koenig Lemma it 
follows that the tree contains an infinite branch and this, by construction of the 
tree, implies that (D.A, cq) produces the infinite trace cq; Si; Ci; S2; C2 . . . s„; c„; . . . 
where, for each j > 1, Sj = Sj j for some i > 1. 

D 

We also need the following Lemma. 

Lemma 5.15. Let Dq, . . . , Dp be a restricted transformation sequence, and A be 
an agent. If (Dq.A, Cq) produces the trace Cq; Si; Ci; S2; C2 . . . s^; Cp,, where the C\ are 
different constraints and the S\ are sub-traces of constraints all equal to Cj_i, then 
(Dp. A, Co) produces the trace Cq; s^; Ci; Sj; C2 . . . s'p,; c^ such that, for any i e [l,?7i], 
there exists k\ such that \s\\ < |si| + ki. Furthermore, the vice versa (obtained by 
exchanging Dq with Dp in the previous statement) holds as well. 

Proof. The first part follows from Theorem 5.12. The part concerning the 
length is a direct consequence of the definition of the transformation sequence, 
since each transformation operation can at most add or delete a finite number of 
computation step. 

D 

We then obtain the following extension of Theorem 5.12. Here we consider the 
obvious extension of the relation ^ to the case of infinite traces. 

Theorem 5.16. Let Do,...,Dp be a restricted transformation sequence and A 
be an agent. 

— //(Dq.A, Co) produces the infinite active trace s, then (Dp.A,Co} produces an infi- 
nite trace s' .such that s ^ s'. 

— Conversely, if {D„.A,co) produces the infinite active traces, then (Dq.A, Co) pro- 
duces an infinite trace s' .such that s ^ s'. 

Proof. Assume that (Do.A, co) produces the infinite active trace 

t : co;si;ci;s2;c2;s3;c3 . . . 

where, in order to simplify the notation, we assume that the c; are different con- 
straints while the s; are sequences of constraints all equal to Ci_i (so the s; are se- 
quences of stuttering steps). Clearly, by definition of produced sequence, (Do.A,co) 
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produces also the (infinitely many) finite prefixes of t 

Co 

Co; Si; Ci 

Co; Si; Ci; S2; C2 

co;si;ci;s2;c2;s3;c3 



(,From Lemma 5.15 it follows that (Dp.A,co} produces the traces 

Co 



co;si 1; ci 

co;S2^i;ci; 

Co; S3 1; ci; S3 2; C2; S3 3; C3 



Co;S2.i;Ci;S2 2;C2 



where, for any j > 1, there exists kj such that for any i G [1, j] we have that |sf J < 
|sj| + kj. Therefore the set {|sij|, |s2j|, |s3j|, . . .} admits a (finite) maximal element 
for each j. Lemma 5.14 then implies that (Dn.A,co) produces the infinite trace 
t' : co;si;ci;S2; C2; S3; C3 . . . and clearly, by construction, t ^ t' holds. Analogously 
for the vice versa. D 

5.3.1 Preservation of Termination. The results we have presented guarantee the 
correctness of the transformation system w.r.t. various semantics based on produced 
constraints. We should mention however that these results do not imply that the 
system preserves non-declarative properties such as termination. In fact, in case of 
non-active traces (that from a certain point do not generate any new constraint), 
the semantics we have considered equate infinite and finite traces. 

A full treatment of infinite computations is beyond the scope of this paper and 
is left for future work. 

Nevertheless, we claim that the transformation system we have proposed here 
cannot introduce non-termination. That is, if the initial program, for a given con- 
figuration, docs not produce any infinite computations then this is the case also for 
the transformed program. 

We now provide a sketch of a proof of this claim by considering a specific class of 
declarations, and by showing the intuitive, informal, argument that indicates the 
proof methodology to be used for the general case. 

Let us then assume that declarations does not contain mutually recursive defini- 
tions (note that mutually recursive definitions can usually be eliminated by means 
of unfolding). We also concentrate on the restricted system, which preserves ac- 
tive traces. In the following we say that a configuration (D.A, c) terminates if it 
produces only finite computations, while we say that it does not terminate if it 
produces also at least one infinite derivation. 

Let Do, . . . , Dp be a transformation sequence, and assume that (Dn.A, c) has 
an infinite (non active)^ trace. This implies that there exists a derivation ^ — 



^In case of active traces, our result on the preservation of intermediate results guarantees the 
preservation of termination. 
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(Dn.A,c) -^ (Dn.AijCi) -^* ... -^* (Dn.AjjCj) -^* ..., where for some k, for each 
i > k, 3var(A,c)Ci = 3var(A.c)Ck holds. Assume also that for each i G [0, n — 1], (Dj.A, c) 
terminates. 

It is easy to see that the only operation that might introduce non-termination 
is the folding one (all other operations are clearly "safe" in this respect). So the 
situation is the following:: 



d 

f 

d' 



H ^ C[A'] e D,_ 
B ^ A' e Do 

H ^ C[B] e Dp 



This operation can introduce non-termination only when it introduces recursion, 
i.e., when the definition of B depends on the one of H. The typical case is when B 
and H have the same predicate and in the following, for the sake of simplicity, we 
assume that this is the case, so we assume that: 



d 

f 

d' 



p(X)^C[A'] eD„_i 
p(Y) ^ A' e Do 

p(X)^C[p(Y)] gD, 



^From the definition of folding we have that C[ ] is a guarding context and 
Var(A') n Var(C,X) C Y (f and d are suitably renamed so that the variables they 
have in common are only those occurring in A'). Since C is a guarding context 
let us assume that C[ ] = C [J2"^-j^ ask{c[) — > Af], where A'^ = C"[ ] and C'[ ] and 
C"[ ] are non-guarding contexts. If the infinite computation is due to the folding 
operation then the derivation ^ must contain an infinite number of calls of the form 
p(Y)(Tj, where, for each i > 1, cr^ is a renaming and the current the store dj entails 
c'j^CTj. Moreover, assume that A is of the form Co[p(v)]. 

Now, by the definition of transformation sequence, the unfolding is the only 
operation which can introduce a new ask action, thus the guard c'j^ in the context 
C[ ] was certainly introduced during an unfolding operation of an agent in A' with 
a recursive definition (recall that d must be obtained from f, thus, by unfolding A' 
we must obtain C[A'], and that we are restricting to the case of direct recursion). 
Therefore A' must contain an atom q, whose definition in Do is 

d: q(Z)^D[q(W)] £ Dq 

where the weakest produced constraint of D is precisely c'lP, for some appropriate 
renaming. Notice also that all tell actions present in D can be skipped (they are 
always in parallel with the rest, they don't form a guard). Because of this, by taking 
c as initial store, one can show that there exist an infinite derivation starting from 
(Do.Co[p(V)], c) where, from a certain point of the derivation j, the current store d 

satisfies 3var(Co[p(v)]x)dj = 3var(Co[p(v)],c)C'i. 

This is in contrast with the hypothesis made on the original program, thus show- 
ing that no new infinite computation is generated. 

In the rest of the paper we are going to provide some extra examples of transfor- 
mations and - in the Appendix - the technical proofs of the correctness results. 
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6. MORE EXAMPLES 

The following example is inspired by the one in [Etalle et al. 1998]. It shows that the 
transformation system can be used to simplify the dynamic behavior of a program 
to the point that it can be used to prove deadlock freeness. All the operations used 
in it are of the restricted sort; the transformation preserves thus the semantics of 
the intermediate results as well as that of terminating derivations. 

Here and in the following we say that a variable X is instantiated to a term t 
in case the current store entails X = t. Accordingly, we also say that an agent 
instantiates a variable X to t in case that the agent adds the constraint X = t to 
the store. Finally, we say that X is instantiated if the store entails X = t for some 
non variable term t. 

Example 6.1. Consider the following simple Collect-Deliver program, which uses 
a buffer of length one: 

collect_deliver ^ collect(Xs) || deliver(Xs). 

collect(Xs) ^- % collects tokens and puts them in the queue Xs 

ask(3x,xs' Xs=[X|Xs']) ^ tell(Xs=[X|Xs']) || get_token(X) || collect(Xs') 
+ ask(Xs=[ ]) -^ stop. 

deliver([Y|Ys]) ^- % delivers the tokens in the queue Xs 
ask(Y=eof) -^ tell(Ys=[ ]) 
+ ask(Y / eof) ^ deliver_token(Y) || deliver(Ys). 

The dynamic behavior of this program is not elementary. collect(Xs) behaves as 
follows: (a) it waits until more information for the variable Xs is produced, (bl) 
if Xs is instantiated to [X|Xs'] (i.e. when the store entails 3x,xs'Xs = [X|Xs']) then 
(by using get_token(X)) it instantiates X with the value it collects, (b2) if Xs is 
instantiated to [ ] it stops. On the other hand, the actions deliver(Xs) performs are: 
(a) it instantiates Xs to [Y|Ys] (this activates collect(Xs)), then (b) it waits until Y 
is instantiated. Now there are two possibilities: (cl) if Y is the end of file character 
then it instantiates Ys to [ ] (this will also stop the collector), (c2) otherwise it 
delivers Y (by using deliver_token(Y)) and proceeds with the recursive call (which 
will further activate collect). 

Thus, collect-deliver actually implements a communication channel with a buffer 
of length one, and Xs is a bidirectional communication channel. Note also that 
proving that this program is deadlock-free is not trivial. 

We now proceed with the transformation. First we unfold deliver(Xs) in the body 
of the first definition. The result, after cleaning up the definition via a (restricted) 
tell elimination is. 

collect.deliver ^ collect([Y|Ys]) || 
( ask(Y=eof) ^tell(Ys=[]) 
+ ask(Y / eof) ^ deliver_token(Y) || deliver(Ys)). 

Then, we unfold collect([Y|Ys]) in the resulting definition; we obtain 

collect_deliver ^- 

( ask(3x,xs [Y|Ys] = [X|Xs]) -^ tell([Y|Ys] = [X|Xs]) || get_token(X) || collect(Xs) 
+ ask([Y|Ys] = [ ]) -^ stop) 

II 
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( ask(Y=eof) ^tell(Ys=[]) 

+ ask(Y / eof) -^ deliver_token(Y) || deliver(Ys)) 

This definition can be simplified: first, by an ask simplification, we obtain. 

collect_deliver «— 

( ask(true) -^ tell([Y|Ys] = [X|Xs]) || get_token(X) || collect(Xs) 
+ ask(false) -^ stop) 

II 

( ask(Y=eof) ^tell(Ys=[]) 

+ ask(Y/eof) ^ deliver_token(Y) || deliver(Ys)) 

Then we can eliminate the branch ask(false) -^ stop, eliminate tell(|Y|Ys]=[X|Xs]) 
and eliminate the ask(true); the result is 

collect_deliver ^ get_token(Y) || collect(Ys) || 
( ask(Y=eof) ^tell(Ys=[]) 
+ ask(Y / eof) -^ deliver_token(Y) || deliver(Ys)) 

Now, we apply the restricted distributive operation in order to bring collect(Ys) 
inside the scope of the ask construct. Notice that collect(Ys) requires Ys. Remark 
5.7 allows us to apply the operation. 

collect_deliver ^- get_token(Y) | 

( ask(Y=eof) ^ collect(Ys) || tell(Ys=[ ]) 

+ ask(Y / eof) -^ deliver_token(Y) || collect(Ys) || deliver(Ys)) 

We can now fold collect(Ys) || deliver(Ys), using the original definition collect_deliver 
^- collect(Xs) II deliver(Xs). We obtain. 

collect_deliver ^ get_token(Y) | 

( ask(Y=eof) -^ collect(Ys) || tell(Ys=[ ]) 

+ ask(Y 7^ eof) ^ deliver_token(Y) || collect_deliver) 

To clean up the result, we can now eliminate tell(Ys=[ ]), unfold the obtained 
collect([ ]) agent, and perform the usual clean-up operations on the result. Our 
final program is the simple 

collect_deliver ^ get_token(Y) || 
( ask(Y=eof) -^ stop 
+ ask(Y / eof) ^ deliver_token(Y) || collect_deliver) 

It is important to compare this to the initial program. In particular, three aspects 
are worth noticing. 

First, that ~ as opposed to the initial program - the resulting one has a straight- 
forward dynamic behavior. For instance if we consider the agent collect-deliver, 
one can easily see it to be deadlock-free in the latter program while in the original 
program this is not at all immediate. After proving that the transformation does 
not introduce nor eliminate any deadlocking branch in the semantics of the pro- 
gram, we are able to state that "since the resulting program is deadlock-free then 
also the initial program is deadlock-free" . Thus program's transformations can be 
profitably used as analysis tool: it is in fact often easier to prove deadlock freeness 
for a transformed version of a program than for the original one. 

Secondly, that the resulting program is more efficient than the initial one: in fact 
it does not need to use the global store as heavily as the initial one for passing the 
parameters between collect and deliver. 
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Finally, it is straightforward to check that all transformation operations used 
here are of the restricted kind, therefore, by the Strong Total Correctness Theorem 
5.12 this transformation is correct wrt the sequence of intermediate results. 

We show now an application of our methodology with a third example, containing 
an extended folding operation (see discussion after Definition 3.15): this is the case 
when the replaced agent coincides with an instance of the body of the folding 
definition. 

Example 6.2. We consider a stream protocol problem where two input streams 
are merged into an output stream. An input stream consists of lines of messages, 
and each line has to be passed to the output stream without interruption. Input 
and output streams are dynamically constructed by a reader and a monitor process, 
respectively. A reader communicates with the monitor by means of a buffer of length 
one, and is synchronized in such a way that it can read a new message only when 
the buffer is empty (i.e., when the previous message has been processed by the 
monitor). On the other hand, the monitor can access a buffer only when it is not 
empty (i.e., when the corresponding reader has put a message into its buffer). This 
protocol is implemented by the following program STREAMER: 

streamer ^- reader(left,Ls) || reader(right,Rs) || monitor(Ls,Rs,idle) 

reader(Channel,Xs) ^- 

ask(3x,xs' Xs=[X|Xs']) ^ tell(Xs=[X|Xs']) || read(Channel,X) || reader(Channel,Xs'; 
+ ask(Xs=[ ]) -^ stop. 

monitor([L|Ls],[R|Rs], State) «- 

ask(State=idle) -^ % waiting for an input 
( ask(char(L)) ^ monitor([L|Ls],[R|Rs],left) 
+ ask(char(R)) ^ monitor([L|Ls],[R|Rs], right)) 

+ ask(State=left) ^ ask(char(L)) ^write(L) || % processing the left stream 
( ask(L=eof) ^tell(Ls=[]) || onestream([R|Rs]) 
+ ask(L=eol) ^ monitor(Ls,[R|Rs],idle) 
+ ask(L / eol AND L / eof) -^ monitor(Ls,[R|Rs],left)) 

+ ask(State=right) —^ ask(char(R)) -^ ^ . . . ) % analogously for the right stream 

onestream([X|Xs]) ^- 
ask(char(X)) -^ 

( ask(X=eof) ^tell(Xs=[]) 

+ ask(X 7^ eof) ^ write(X) || onestream(Xs)) 

Here, the primitive agent read(Channel,X) is supposed to read an input token from 
channel Channel and instantiate X with the read value; similarly, write(X) writes the 
value of X to the (unique) output stream. The primitive constraint predicate char is 
true if its argument is either a printable (e.g. ASCII) character or if it is equal to eol 
or eof, which are constants denoting the end of line and the end of file characters, 
respectively. Furthermore, the agent reader(Channel,Xs) waits to process Channel 
until Xs is instantiated; monitor(Ls,Rs, State) takes care of merging Ls and Rs and 
of writing to the output; the agent onestream(Xs) takes care of handling the single 
stream Xs (when one of the streams has finished). Finally, the constants left, right 
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and idle describe the state of the monitor, i.e., if it is processing a message from 
the left stream, from right stream, or if it is in an idle situation, respectively. 

Notice that reader(Channel,Xs) suspends until Xs is instantiated and that Xs will 
eventually be instantiated by the monitor process. 

We can now transform the STREAMER program in order to improve its efficiency. 
First we add the following new declaration to the original program. 

handle_two(L, R, State) ^ reader(left,Ls) |j reader(right,Rs) || monitor([L|Ls],[R|Rs], State) 

Next, we unfold the agent monitor([L|Ls],[R|Rs], State) in the new declaration and 
then we perform the subsequent tell eliminations (these are restricted in virtue of 
the argument presented after Definition 5.8). The result of these operations is the 
following program. 

handle_two(L,R, State) ^- reader(left,Ls) || reader(right,Rs) || 
( ask(State=idle) -^ % waiting for an input 

( ask(char(L)) ^ monitor([L|Ls],[R|Rs],left) 
+ ask(char(R)) ^ monitor([L|Ls],[R|Rs], right)) 

+ ask(State=left) ^ ask(char(L)) ^write(L) || % processing tlie left stream 
( ask(L=eof) ^tell(Ls=[]) || onestream([R|Rs]) 
+ ask(L=eol) -+ monitor(Ls,[R|Rs],idle) 
+ ask(L / eol AND L / eof) -^ monitor(Ls,[R|Rs],left)) 

+ ask(State=right) -^ ask(char(R)) -^ . . . ) % analogously for the right stream 

According to Definition 3.11, the agent reader(left, Ls) requires the variable Ls 
and reader(right, Rs) requires the variable Rs. By Remark 3.12 it is possible for us 
to apply twice the distribution operation^ and bring them inside the ask constructs. 
The result is the following program. 

handle_two(L,R, State) ^- 

( ask(State=idle) -^ % waiting for an input 

( ask(char(L)) -^ reader(left,Ls) || reader(right,Rs) || 

monitor([L|Ls],[R|Rs],left) 
+ ask(char(R)) -^ reader(left,Ls) || reader(right,Rs) || 
monitor([L|Ls],[R|Rs], right)) 

+ ask(State=left) ^ ask(char(L)) ^write(L) || % processing the left stream 
( ask(L=eof) ^ reader(left,Ls) || reader(right,Rs) || tell(Ls=[ ]) 

II onestream([R|Rs]) 
+ ask(L=eol) -^ reader(left,Ls) || reader(right,Rs) || monitor(Ls,[R|Rs],idle) 
+ ask(L/eol AND L/eof) -> reader(left,Ls) || reader(right,Rs) || 
monitor(Ls,[R|Rs],left)) 

+ ask(State=right) -^ ask(char(R)) -^ . . . ) % analogously for the right stream 

In this program wc can now eliminate tell(Ls = [ ]) in the agent reader(left, Ls) || 
reader(right, Rs) || tell(Ls = [ ]) || onestream([R|Rs]) thus obtaining'': 

handle_two(L,R, State) ^- 



*Reinark 5.7, guarantees also in both cases it is a restricted distribution operation. 
®Again, it is true that the variable Ls here occurs also elsewhere in the definition, but since it 
occurs only on choice-branches different than the one on which the considered agent lies, we can 
assume it to be renamed. 

ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year. 



46 • Sandro Etalle et al. 

( ask(State=idle) -^ % waiting for an input 

( ask(char(L)) -^ reader(left,Ls) || reader(right,Rs) || 

monitor([L|Ls],[R|Rs],left) 
+ ask(char(R)) -^ reader(left,Ls) || reader(right,Rs) || 

monitor([L|Ls],[R|Rs], right)) 

+ ask(State=left) ^ ask(char(L)) ^write(L) || % processing the left stream 
( ask(L=eof) -^ reader(left,[ ]) || reader(right,Rs) || onestream([R|Rs]) 
+ ask(L=eol) -^ reader(left,Ls) || reader(right,Rs) || monitor(Ls,[R|Rs],idle) 
+ ask(L/eol AND L/eof) ^ reader(left,Ls) || reader(right,Rs) || 
monitor(Ls,[R|Rs],left)) 

+ ask(State=right) —> ask(char(R)) -^ . . . ) % analogously for the right stream 

In this program, the unfolding of the agent reader(left, [ ]) yields as result the agent 

ask(3x,xs' [] = [X|Xs']) ^ tell([ ] = [X|Xs']) || read(Channel,X) 
II reader(Channel,Xs') 
+ ask([] = [ ]) ^stop . 

By (trivial) guard simplification, this can become 

ask(false) ^ tell([ ] = [X|Xs']) || read(Channel,X) H reader(Channel,Xs') 
+ ask(true) -^ stop. 

Now, by using branch elimination we can eliminate the first branch and by applying 
the conservative ask elimination we can transform the second branch into stop. The 
application of these operations yields: 

handle_two(L,R, State) ^- 

( ask(State=idle) -^ % waiting for an input 

( ask(char(L)) -^ reader(left,Ls) || reader(right,Rs) || 

monitor([L|Ls],[R|Rs],left) 
+ ask(char(R)) -^ reader(left,Ls) || reader(right,Rs) || 
monitor([L|Ls],[R|Rs], right)) 

+ ask(State=left) ^ ask(char(L)) ^write(L) || % processing the left stream 
( ask(L=eof) -^ reader(right,Rs) || onestream([R|Rs]) 

+ ask(L=eol) ^ reader(left,Ls) || reader(right,Rs) || monitor(Ls,[R|Rs],idle) 
+ ask(L/eol AND L/eof) ^ reader(left,Ls) || reader(right,Rs) || 
monitor(Ls,[R|Rs],left)) 

+ ask(State=right) -^ ask(char(R)) —*...) % analogously for the right stream 

We now apply the backward instantiation operation to monitor(Ls,[R|Rs],idle) and 
to monitor(Ls,[R|Rs],left). By cleaning up the result with a tell elimination^", this 
amounts to instantiating Ls to [L'|Ls']. Therefore, we have obtained. 

handle_two(L,R, State) ^- 

( ask(State=idle) -^ % waiting for an input 

( ask(char(L)) -^ reader(left,Ls) || reader(right,Rs) || 

monitor([L|Ls],[R|Rs],left) 
+ ask(char(R)) ^ reader(left,Ls) || reader(right,Rs) || 
monitor([L|Ls],[R|Rs], right)) 



-'^"This is the first operation in this example that is not restricted. 
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+ ask(State=left) -^ ask(char(L)) -^ write(L) || % processing the left stream 
( ask(L=eof) -^ reader(right,Rs) || onestream([R|Rs]) 
+ ask(L=eol) ^ reader(left,[L'|Ls']) || reader(right,Rs) || 

monitor([L'|Ls'],[R|Rs],idle) 
+ ask(L/eol AND L/eof) ^reader(left,[L'|Ls']) || reader(right,Rs) || 

monitor([L'|Ls'],[R|Rs],left)) 

+ ask(State=right) -^ ask(char(R)) -^ . . . ) % analogously for the right stream 

In order to prepare the program for the folding operation we need one more clean 
up phase: using the unfolding and some simplification operations, we can replace 
each call reader(left, [L'|Ls']) with read(left, L') || reader(left, Ls'). The result of these 
operations is the program: 

handle_two(L,R, State) ^- 

( ask(State=idle) -^ % waiting for an input 

( ask(char(L)) -^ reader(left,Ls) || reader(right,Rs) || 

monitor([L|Ls],[R|Rs],left) 
+ ask(char(R)) -^ reader(left,Ls) || reader(right,Rs) || 
monitor([L|Ls],[R|Rs], right)) 

+ ask(State=left) ^ ask(char(L)) ^write(L) || % processing the left stream 
( ask(L=eof) -^ reader(right,Rs) || onestream([R|Rs]) 
+ ask(L=eol) ^ read(left,L') || reader(left,Ls') || reader(right,Rs) || 

monitor([L'|Ls'],[R|Rs],idle) 
+ ask(L/eol AND L/eof) ^ read(left,L') || reader(left,Ls') || reader(right,Rs) | 

monitor([L'|Ls'],[R|Rs],left)) 

+ ask(State=right) —f ask(char(R)) -^ . . . ) % analogously for the right stream 

We can now apply twice the extended folding operation. The first folding allows 
us to replace reader(left,Ls) || reader(right,Rs) || monitor([L|Ls], [R|Rs], left) with han- 
dle_two(L,R,left). With the second one wc replace reader(left,Ls) || reader(right,Rs) 
II monitor([L|Ls],[R|Rs], right) with handle_two(L,R, right). Recall that the extended 
folding operation, as described in Subsection 3.7, occurs when the replaced agent 
coincides with a non-trivial instance of the body of the folding definition; as al- 
ready explained in the discussion after Definition 3.15 this is only a shorthand for 
a sequence of tell introduction, folding and tell elimination, as described in Subsec- 
tion 3.7. The resulting program after these two operations is: 

handle_two(L,R, State) ^- 

( ask(State=idle) -^ % waiting for an input 
( ask(char(L)) -^ handle_two(L,R,left) 
+ ask(char(R)) -^ handle_two(L,R, right) 

-I- ask(State=left) ^ ask(char(L)) ^write(L) || % processing the left stream 
( ask(L=eof) -^ reader(right,Rs) || onestream([R|Rs]) 
+ ask(L=eol) ^ read(left,L') || reader(left,Ls') || reader(right,Rs) || 

monitor([L'|Ls'],[R|Rs],idle) 
+ ask(L/eol AND L/eof) ^ read(left,L') || reader(left,Ls') || reader(right,Rs) | 

monitor([L'|Ls'],[R|Rs],left)) 

-I- ask(State=right) -^ ask(char(R)) -^ . . . ) % analogously for the right stream 

Then, we perform two more extended foldings: with the first one we replace the 
agent reader(left,Ls') || reader(right,Rs) || monitor([L'|Ls'],[R|Rs], idle) with the agent 
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handle_two(L',R,idle), with the latter we replace reader(left,Ls') || reader(right,Rs) 
II monitor([L'|Ls'],[R|Rs],left) with handle_two(L',R,left). The resulting program is 

handle_two(L,R, State) ^- 

ask(State=idle) -^ % waiting for an input 
( ask(char(L)) -^ handle_two(L,R,left) 
+ ask(char(R)) -^ ha ndle_two(L,R, right) 

+ ask(State=left) — + ask(char(L)) ^write(L) || % processing the left stream 
( ask(L=eof) -^ reader(right,Rs) || onestream([R|Rs]) 
+ ask(L=eol) -^ read(left,L') || handle_two(L',R,idle) 
+ ask(L/eol AND L/eof) -^ read(left,L') |1 handle_two(L',R,left) 

+ ask(State=right) ^ ask(char(R)) -^ . . . ) % analogously for the rigfit stream 

Notice that now the definition of handle_two is recursive. Moreover, the above 
program is almost completely independent from the definition of reader. In order 
to eliminate the atom reader(right,Rs) as well, we use an unfold/fold transformation 
similar to (but simpler than) the previous one. This transformation starts with the 
new definition^ ^: 

handle_one(X, Channel) ^- reader(Channel,Xs) || onestream([X|Xs]) 

After the transformation, we end up with the definition: 

handle_one(X, Channel) ^- ask(char(X)) -^ 
( ask(X=eof) -^ stop 
+ ask(X7^eof) ^ write(X) || read(Channel,X') || handle_one(X', Channel)) 

Also in this case the folding operation allows us to save computational space. In 
fact, the parallel composition of reader and of onestream in the original definition 
leads to the construction of a list containing all the data read so far. In a concurrent 
setting this list could easily be of unbounded size and monotonically increasing. The 
initial definition employs a computational space which is linear in the input. After 
the transformation we have a definition which does not build the list any longer, and 
which could be optimized to employ only constant space (this could be achieved 
by a using a garbage collection mechanism which allows one to re-use the space 
allocated for local variables). 

We now continue with the last steps of our example. By folding handle_one into 
the last definition of handle_two, we obtain 

handle_two(L,R, State) ^- 

( ask(State=idle) -^ % waiting for an input 
( ask(char(L)) -^ handle_two(L,R,left) 
+ ask(char(R)) -^ handle_two(L,R, right) 

+ ask(State=left) ^ ask(char(L)) ^write(L) || % processing the left stream 
( ask(L=eof) -^ handle_one(R, right) 
+ ask(L=eol) -^ read(left,L') || handle_two(L',R,idle) 
+ ask(L/eol AND L/eof) -^ read(left,L') || handle_two(L',R,left) 

+ ask(State=right) ^ ask(char(R)) ^ ... ) % analogously for the right stream 



^^This definition is presented here for the sake of clarity; however recall that wc assume that it is 
added to the original program at the beginning of the transformation. 
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We now want to let streamer benefit from the improvements we have obtained via 
this transformation. First, we transform its definition by applying the backward 
instantiation to monitor(Ls,Rs,idle), and obtain: 

streamers reader(left,[L|Ls]) || reader(right,[R|Rs]) || monitor([L[Ls],[R|Rs],idle). 

Next, we unfold the two reader atoms, and eliminate the redundant ask and tell 
guards. 

streamers read(left,L) || reader(left,Ls) | 

read(right,R) || reader( right, Rs) || monitor([L|Ls],[R|Rs],idle). 

We can now fold handle_two in it (via an extended folding operation), obtaining: 

streamers read(left,L) || read(right,R) || handle_two(L,R,idle). 

Note that this last folding operation is applied to a non-guarding context. As 
discussed in Remark 3.16, we can apply the folding also in this case because the 
definition of streamer is never modified nor used by the transformation. So we 
can simply assume that the original definition of streamer contained a dummy ask 
guard as in 

streamers ask(true) -^ { read(left,L) |j reader(left,Ls) || read(right,R) || 
reader(right,Rs) || monitor([L|Ls],[R|Rs],idle)) 

Then we assume that the folding operation is applied to this definition, and that 
the guard ask(true) will eventually be removed by an ask elimination operation. 

In the final program, we only need the definitions of streamer and of handle_two 
together with the ones of the built-it predicates. Observe that the definition of 
streamer is much more efficient than the original one. Firstly, it now benefits from 
a straightforward left-to-right dataflow. In the initial program the variables Ls and 
Rs are employed as bidirectional communication channels, in fact there exist two 
agents (reader and monitor) which alternate in "instantiating" them further. This 
is not the case in the final program, where for each variable it is clear which is the 
agent that is supposed to "instantiate" it (i.e. to progressively add information to 
the store about it). This fact implies that on the final program are possible a number 
of powerful compile-time (low-level) optimizations which in the first program are 
not possible. 

Secondly, the number of suspension points is dramatically reduced: in the original 
program reader had to suspend and awaken itself at each input token. In the final 
one streamer is independent from reader and has to suspend less often. 

Last but certainly not least, as previously mentioned streamer now does not 
construct the list and could be optimized to employ a constant computational 
space, while in its initial version it employed a space linear in the input, that is, 
possibly unbounded. It is worth remarking that in a concurrent setting processes 
are often not meant to end their computation, in which case it is of vital importance 
that the computational space remains bounded in size; thus in this context a space 
gain like the one obtained in the above example makes the difference between a 
viable and a non-viable definition. 

Example 6.3. This is a variation on a standard example for unfold/fold trans- 
formations: a program computing the sum and the length of the elements in a list. 
The variation consists in the fact that we consider only the elements of the list 
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which are larger than the given parameter Limit. We assume here that the con- 
straint system being used incorporates some arithmetic domain. Therefore, in the 
following program we use also arithmetic constraints, with the obvious intended 
meaning. 

sumlen(Xs, Limit, S,L) ^- sum(Xs, Limit, S) || len(Xs, Limit, L) 

sum(Xs, Limit, S) ^- 

( ask(Xs=[]) ^tell(S=0) 

+ asl<(3Y,Ys (Xs=[Y|Ys] A Y < Limit)) ^ tell(Xs=[Y|Ys]) || 

sum(Ys, Limit, S) 
+ asl<(3Y,Ys (Xs=[Y|Ys] A Y > Limit)) ^ tell (Xs= [Y|Ys]) || 

sum(Ys, Limit, S') | 

tell(S=S'+ Y)) 

len(Xs, Limit, L) ^ 

( ask(Xs=[]) -^tell(L=0) 

+ ask(3Y,Ys( Xs=[Y|Ys] A Y < Limit)) ^ tell (Xs=[Y|Ys]) || 

len(Ys,Limit,L) 
+ ask(3Y,Ys (Xs=[Y|Ys] A Y > Limit)) ^ tell (Xs=[Y|Ys]) || 

len(Ys,Limit,L') || 

tell(L=L'+ 1)) 

With two unfoldings wc obtain: 

sumlen(Xs, Limit, S,L) ^- 

( ask(Xs=[]) ^tell(S=0) 

+ ask(3Y,Ys (Xs=[Y|Ys] A Y < Limit)) ^tell (Xs=[YtYs]) || 

sum(Ys, Limit, S) 
+ ask(3Y,Ys (Xs=[Y|Ys] A Y > Limit)) ^tell (Xs=[Y|Ys]) || 

sum(Ys, Limit, S') || 

tell(S=S'+ Y)) 

II 

( ask(Xs=[]) -^tell(L=0) 
+ ask(3Y',Ys' (Xs=[Y'|Ys'] A Y' < Limit)) ^ tell (Xs=[Y'|Ys']) || 

len(Ys', Limit, L) 
+ ask(3Y',Ys' (Xs=[Y'|Ys'] A Y' > Limit)) ^ tell (Xs=[Y'|Ys']) |1 

len(Ys',Limit,L') |t 

tell(L=L'+ 1)) 

We now apply the (restricted) distribution operation; in practice, we now bring one 
choice inside the other one. 

sumlen(Xs, Limit, S,L) ^- 

( ask(Xs=[]) ^tell(S=0) || 

( ask(Xs=[]) ^tell(L=0) 

+ ask(3Y',Ys' (Xs=[Y'|Ys'] A Y' < Limit)) ^ tell (Xs=[Y'|Ys']) |1 

len(Ys',Limit,L) 
+ ask(3Y',Ys' ( Xs=[Y'|Ys'] and Y' > Limit)) ^ tell (Xs=[Y'|Ys']) || 
len(Ys',Limit,L') || 
tell(L=L'+ 1)) 
+ ask(3Y,Ys (Xs=[Y|Ys] A Y < Limit)) -^ tell (Xs=[Y|Ys]) || 
sum(Ys,Limit,S) || 
( ask(Xs=[]) ^tell(L=0) 
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+ ask(3Y',Ys' (Xs=[Y'|Ys'] and Y' < Limit)) ^ tell (Xs=[Y'|Ys']) || 

len(Ys',Limit,L) 
+ ask(3Y',Ys' (Xs=[Y'|Ys'] and Y' > Limit)) ^tell (Xs=[Y'|Ys']) || 

len(Ys',Limit,L') || 

tell(L=L'+ 1)) 
+ ask(3Y,Ys (Xs=[YlYs] A Y > Limit) ) ^tell (Xs=[Y|Ys]) || 
sum(Ys, Limit, S') || 
tell(S=S'+ Y) It 
( ask(Xs=[]) ^tell(L=0) 
+ ask(3Y/,Ys/ (Xs=[Y'|Ys'] A Y' < Limit)) ^ tell (Xs=[Y'|Ys']) || 

len(Ys', Limit, L) 
+ ask(3Y',Ys'( Xs=[Y'|Ys'] A Y' > Limit)) ^ tell (Xs=[Y'|Ys']) || 

len(Ys',Limit,L') || 

tell(L=L'+ 1))) 

It is worth noticing that the apphcabihty conditions of Definition 3.10 are triviaUy 
satisfied thanks to the fact that both choices depend on the same variable Xs. Notice 
also that in this case we cannot apply Remark 3.12, in fact this is an example of a 
distribution operation which is not possible with the tools of [Etalle et al. 1998]. 

By using the ask simplification followed by a branch elimination and by a con- 
servative ask elimination we obtain the following program. Notice that the ask 
simplification is possible here because we can take arithmetic constraints into ac- 
count. 

sumlen(Xs, Limit, S,L) ^- 

( ask(Xs=[]) ^tell(S=0) || tell(L=0) 

+ ask(3Y,Ys (Xs=[Y|Ys] A Y < Limit)) ^tell (Xs=[Y|Ys]) |1 

sum(Ys, Limit, S) | 

tell (Xs=[Y'|Ys']) II 

len(Ys',Limit,L) 
+ ask(3Y,Ys (Xs=[Y|Ys] A Y > Limit)) ^tell (Xs=[Y|Ys]) || 

sum(Ys, Limit, S') | 

tell(S=S'+ Y) II 

tell (Xs=[Y'|Ys']) II 

len(Ys',Limit,L') || 

tell(L=L'+ 1)) 

Via a tell simplification (first and last non- restricted operation of this example), 
we can transform tell(Xs = [Y'|Ys']) into tell([Y|Ys] = [Y'|Ys']), and subsequently 
apply a tell elimination we obtain: 

sumlen(Xs, Limit, S,L) ^- 

( ask(Xs=[]) ^tell(S=0) || tell(L=0) 

+ ask(3Y,Ys (Xs=[Y|Ys] A Y < Limit)) ^tell (Xs=[Y|Ys]) || 

sum(Ys, Limit, S) || 

len(Ys,Limit,L) 
+ ask(3Y,Ys (Xs=[Y|Ys] A Y > Limit)) ^tell (Xs=[Y|Ys]) || 

sum(Ys, Limit, S') || 

tell(S=S'+ Y) II 

len(Ys,Limit,L') || 

tell(L=L'+ 1)) 

We can now apply the folding operation. 
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sumlen(Xs, Limit, S,L) ^- 

( ask(Xs=[]) ^tell(S=0) || tell(L=0) 

+ asl<(3Y,Ys (Xs=[Y|Ys] A Y < Limit)) ^ tell (Xs=[Y|Ys]) || 

sumlen(Ys,Limit,S,L) 
+ ask(3Y,Ys (Xs=[Y|Ys] A Y > Limit)) ^tell (Xs=[Y|Ys]) || 

sumlen(Ys, Limit, S',L') | 

tell(S=S'+ Y) II 

tell(L=L'+ 1)) 

Again, we have reached a point in which the main definition is directly recursive. 
Moreover, the number of choice-points encountered while traversing a list is now 
half of what it was initially. 

7. RELATED WORK 

As mentioned in the introduction, this is one of the few attempts to apply fold/unfold 
techniques in the field of concurrent languages. In fact, in the literature we find 
only three papers which are relatively closely related to the present one: Ueda 
and Furukawa [1988] defined transformation systems for the concurrent logic lan- 
guage GHC [Ueda 1986], Sahlin [1995] defined a partial evaluator for AKL, while 
de Francesco and Santone in [1996] presented a transformation system for CCS 
[Milner 1989]. 

The transformation system we are proposing builds on the systems defined in 
the papers above and can be considered an extension of them. Differently from the 
previous cases, our system is defined for a generic (concurrent) constraint language. 
Thus, together with some new transformations such as the distribution, the back- 
ward instantiation and the branch elimination, we introduce also specific operations 
which allow constraint simplification and elimination (though, some constraint sim- 
plification is done in [Sahlin 1995] as well). 

It is interesting and not straightforward to compare our system with the one 
of Ueda and Furukawa [1988]. This is specific for the GHC language, which has a 
different syntactic structure from CCP and uses the Herbrand universe as computa- 
tional domain. Also because of this, [Ueda and Furukawa 1988] employs operations 
which are completely different from ours. In particular, our operation of unfold- 
ing is replaced by immediate execution and case splitting in [Ueda and Furukawa 
1988]. Our unfolding is a weaker operation which has a broader applicability than 
case splitting, since the latter operation involves the moving of synchronization 
points and therefore requires suitable applicability conditions. Furthermore, the 
distribution operation is not present in [Ueda and Furukawa 1988], as it would not 
be possible in the syntactic structure of GHC. However, in many cases the effect 
of distribution can be achieved in [Ueda and Furukawa 1988] by introduction of 
a new clause followed by case splitting. In order to clarify this, below we report 
how the transformations of the Example 6.1 could be mimicked in GHC by using 
the operations of [Ueda and Furukawa 1988]. The transformation in the following 
example was provided by a reviewer of this paper. 

Example 7.1. The initial program collect_deliver considered in Example 6.1, in 
terms of the GHC syntax is 

1: collect_deliver :- I collect (Xs), deliver (Xs) . 
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2: collect ([X I Xs]) :- I get_token(X) , collect (Xs) 
3: collected) :- I true. 



deliver(YsO) :- I YsO=[Y|Ys], deliver_2(Y, Ys) . 

deliver_2(eof ,Ys) :- I Ys=[]. 

deliver_2(Y,Ys) :- Y\=eof I deliver_token(Y) , deliver(Ys) . 



The presence of deliver_2 is due to the fact that GHC does not aUow nested 
guards. The first operation to be used is an immediate execution, apphed to clause 
(1). The result is 

7: collect_deliver :- I collect(Xs), Xs=[Y|Ys], deliver_2(Y, Ys) . 

By normalizing this, we obtain 

8: collect_deliver :- I collect ( [Y I Ys] ) , deliver_2(Y,Ys) . 

Another im,mediate execution operation yields 

9: collect_deliver :- I get_tokeii(Y) , collect(Ys), deliver_2(Y,Ys) . 

Now, we need to introduce a new definition. 

10: collect_deliver_2(Y) :- I collect(Ys), deliver_2(Y, Ys) . 

By applying to this the case splitting operation, we obtain 

11: collect_deliver_2(eof) :- I collect(Ys), Ys=[]. 

12: collect_deliver_2(Y) :- Y\=eof I collect(Ys), deliver_token(Y) , 

deliver(Ys) . 

By normalizing clause 11, and subsequently applying an immediate execution op- 
eration, we obtain 

13: collect_deliver_2(eof ) :- I true. 

To (12) and (9) we can apply the folding operation, and the resulting program is 
thus 

collect_deliver :- | get_token(Y) , collect_deliver_2(Y) . 

collect_deliver_2(eof ) :- I true. 

collect_deliver_2(Y) :- Y\=eof I deliver_tokeii(Y) , collect_deliver . 

It is worth noting how it is possible to achieve a resulting program which is basically 
identical to the one of Example 6.1, despite the completely different nature of the 
operation used. 

Compared to [Ueda and Furukawa 1988] we also provide a more flexible definition 
for the folding operation which allows the folding clause to be recursive (which is 
really a step forward in the context of folding operations which are themselves 
capable of introducing recursion) and frees the initial program from having to be 
partitioned in Pnew and Poid- In fact, as opposed to virtually all fold operations 
which enable to introduce recursion presented so far (the only exception being 
[Francesco and Santone 1996]), the applicability of the folding operation does not 
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depend on the transformation history, (which has always been one of the "obscure 
sides" of it) but it rchcs on plain syntactic criteria. The idea of using a guarded 
folding in order to obtain applicability conditions independent of the transformation 
history was first introduced by de Francesco and Santone [1996] in the CCS setting. 
However, their technical development is rather different from ours, in particular 
our correctness results and proofs are completely different from those sketched in 
[Francesco and Santone 1996]. 

As previously mentioned, differently from our case in [Sahlin 1995] it is consid- 
ered a definition of ask elimination which allows us to remove potentially selectable 
branches; the consequence is that the resulting transformation system is only par- 
tially (thus not totally) correct. We should mention that in [Sahlin 1995] two 
preliminary assumptions on the "scheduling" are made in such a way that this 
limitation is actually less constraining than it might appear. 

8. CONCLUSIONS 

We have introduced an unfold/fold transformation system for CCP and we have 
proved its total correctness w.r.t. the input/output semantics defined by the ob- 
servables O, which takes into account also the termination modes. This semantics 
corresponds (modulo irrelevant differences due to the treatment of failure and of 
local variables) to that one proposed in [de Boer and Palamidessi 1991]. This is 
one of the two fully abstract "standard" semantics for CCP, the other being that 
one defined in [Saraswat et al. 1991]. (Actually, these two semantic models have 
been proved to be isomorphic ([de Boer and Palamidessi 1992]), provided that the 
termination mode and the consistency checks are eliminated.) 

We have also shown that the proposed transformation system preserves another, 
stronger semantics which takes into account the intermediate results of computa- 
tions up to logical implication (Theorem 5.1). We argued that this result should 
be strong enough for transforming also programs which might not terminate, in 
particular for transforming reactive programs. Nevertheless, in addition to this 
we have presented a restricted transformation system, obtained from the initial 
one by adding some (relatively mild) restrictions on some operations. We have 
shown that this second system preserves the trace semantics of programs (up to 
simulation. Theorem 5.12) and therefore it is totally correct w.r.t. the semantics 
0\ which takes into account all the intermediate results (Corollary 5.13). We have 
also proved that this system preserves active infinite computations and we claim 
that, more generally, this system does not introduce in the transformed program 
any new infinite computation which was not present in the original one. 

As shown by the examples, this system can be used for the optimization of con- 
current constraint programs both in terms of time and of space. In fact, it allows us 
to eliminate unnecessary suspension points (and therefore to reduce sequentiality) , 
to reduce the number of communication channels and to avoid the construction of 
some global data structures. The system can also be used to simplify the dynamic 
behavior of a program, thus allowing us to prove directly absence of deadlock. 

Concerning future work, there exist other techniques for proving deadlock freeness 
for CCP programs, notably in [Codish et al. 1994] a methodology based on abstract 
interpretation has been defined. It could be interesting to investigate an integration 
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of our methodology with abstract interpretation tools. We are also considering 
a formal comparison of some different transformation systems (in particular our 
system and that one of [Ueda and Furukawa 1988]) to assess their relative strength. 
This task is not immediate, since the target languages are different. 

A. DETAILED PROOFS 

Appendix A is available only online. You should be able to get the online-only 
toplas from the citation page for this article: 

2039 

Alternative instructions on how to obtain online-only appendices are given on 
the back inside cover of current issues of ACM TOPLAS or on the ACM TOPLAS 
web page: 

http://www.acm.org/toplas 
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In this Appendix we provide the detailed proofs for the results which ensure 
that the transformation system we have defined is totally correct. In particular, 
we provide the detailed proofs for Theorems 4.13 and 5.12. In order to obtain a 
self contained Appendix some technical Lemmata contained also in the paper are 
repeated here. In what follows, we are going to refer to a fixed transformation 
sequence Dq, . . . , Dr,. 

Lemma A.l. Assume that there exists a derivation (D.C[A],c) -^* (D.C'[A],c') 
where c is a satisfiable constraint and the context C [ ] has the form 

Aill ... ||C[]|| ... II A, 

and, for each j € [l,n], Aj is either a choice agent, or a procedure call or the agent 
Stop. Then T> \= (pc(C[ ]) A c') — ^ pc(C[ ]) holds and in case C[ ] is the empty 
context also T) \= c' ^ pc(C[ ]) holds. 

Proof. By a straightforward inductive argument it follows that if there exists 
a derivation (D.C[A],c) -^* (D.C'[A], c')_, then V \= (pc(C'[ ]) A c') ^ pc(C[ ]). 
Now, if C'[ ] has the form Ai || ... || C[ ] || ... || A^, where each Aj is either a 
choice agent or a procedure call or Stop, then pc(C'[ ]) = pc(C[ ]) which implies 
V \= (pc(C[ ]) A c') -^ pc(C[ ]). Obviously if C[ ] is the empty context then 
pc(C[ ]) = true, from which the second part of the Lemma follows. D 

We prove now Proposition 4.5. 

Proposition 4.5 (Partial Correctness). //, for each agent A, 0(00. A) = 
e>(Di.A) then, for each agent A, C'(Di.A) D 0(Di+i.A). 

Proof. We now show that given an agent A and a satisfiable constraint C|, 
if there exists a derivation ^ = (Di+i.A, C|) — +* (Di+i.B, cp), with m(B, cf) G 
{ss, dd,ff}, then there exists also a derivation ^' = (Dj.A, C|) -^* (Di.B',Cp) with 
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3_yar(A,ci)Cp — 3_ yQr(A.ci)CF and m(B',Cp) — m(B, Cp). By Definition 4.1, this will 
imply the thesis. The proof is by induction on the length I of the derivation. 

[l = 0). In this case ^ = (Dj+i.A, C|). By the definition (Dj.A, C|) is also a 
derivation of length and then the thesis holds. 

{I > 0). If the first step of derivation ^ does not use rule R4, then the proof 
follows from the inductive hypothesis: In fact, if^ = (Di+i.A, C|) -^ (Di_|-i.Ai,ci) ^■* 
(Dj-i-i.B, Cp) then by the inductive hypothesis, there exists a derivation 

C"-(Di.Ai,ci)^* (Di.B',c'p) 

with J- var( Ai.ci)'^r: = 3_\/ar(Ai,ci)CF and m(B',Cp) = m(B,cp). We can assume, 
without loss of generality, that Var{A,c\) n Var{(_") C Var{Ai,ci). Therefore, 
there exists a derivation ^' = (Di.A, C|) -^* (Di.B',Cp). Now, to prove the thesis 
it is sufficient to observe that, by the hypothesis on the variables, ^ - var{ a. c,)c'f ~ 

3-Var(A,C|)(ci A ^^Var(Ai,ci)<^'f) = ^ - Var(A,c,) {<^1 A 3_ v'ar(Ai,ci)CF) = 3_ V'ar(Ax|)CF• 
NoW, assume that the first step of derivation ^ uses rule R4 and let d' £ Dj+i 
be the declaration used in the first step of £,. If d' was not modified in the trans- 
formation step from Dj to Dj+i (that is, d' G Dj), then the result follows from the 
inductive hypothesis. We assume then that d' ^ Dj, d' is then the result of the 
transformation operation applied to obtain Dj_|_i, and we now distinguish various 
cases according to the operation itself. 

Case 1: d' is the result of an unfolding operation. 
In this case the proof is straightforward. 

Case 2: d' is the result of a tell elimination or of a tell introduction. 
In this case the thesis follows from a straightforward analysis of the possible deriva- 
tions which use d or d'. First, observe that for any derivation which uses a dec- 
laration H ^ C[tell(s = t) II B], we can construct another derivation such that the 
agent tell(s = t) is evaluated before B. Moreover for any constraint c such that 
3dom((T)C = 3dom(cr)C0', (whcrc CT is a relevant most general unifier of s and t), there 
exists a derivation step (Di.Bicr, cc) ^ (Di.B2cr, c') if and only if there exists a 
derivation step (Di.Bi,c A (s = t)) -^ (Di.B2,c"}, where, for some constraint e, 
c' = ea, c" = e A (s = t) and therefore c' = ^dom{u)'^"- Finally, since by definition a 
is idempotent and the variables in the domain of a do not occur neither in C[ ] nor 
in H, for any constraint e we have that 3_ var(A,ci)60' = ^-var{A.c,){^ A (s = t)). 

Case 3: d' is the result of a backward instantiation. 

Let d be the corresponding declaration in D;. The situation is the following: 

- d : q(r) ^ C[p(t)] 

- d' : q(r) ^ C[p(t) || tell(b) || tell(t = s)] 

where f : p(s) ^tell(b) || H G Dj has no variable in common with d (the case 
d' : q(r) ^ C[p("t) || tell(t = s)] is analogous and hence omitted). In this case 

e = (Di+i.C|[q(v)],C|) ^ (Di+i.C|[C[p(t) II tell(b) || tell(t = 1)] || tell(v = ?)],€,) 
^* (Di+i.B,cp). 

By the inductive hypothesis, there exists a derivation 

X = (Di.C|[C[p(t) II tell(b) II tell(t = 1)] || tell(v = ?)], c,) ^* (Di.B",c'p'), 
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with 

^- Var (C,[C[p(t) II tell(b) || tell(t=s)] || tell(v=r)].C|)'-F 
-yar(Ci[C[p(t) II tell(b) || tell(t=5)] || tell(v=r)],C|)'-F 

and 

m(B",c'F') = m(B,CF). (31) 

Moreover, since Var(Ci[q(v)],Ci) C Var(Ci[C[p(t) || tell(b) || tell(t = s)] || tell(v = 
r)],C|), we have that 

3-yar(C|[q(v)]xi)CF = 3_ yar(C| [q(v)]xi)CF- (32) 

If p(t) is not evaluated in x, then the proof is immediate. Otherwise, by the 
definition of x and since f G D; , there exists also a derivation 

X' = (Di.C|[C[p(t)] II tell(v == r)],ci) -.* (Di.B',^ 

such that ^_Var(C,[CWl)] II tell(v=r)]x,)^F = ^ - Var (C,[C[p(t)] \\ tell(v=r)] ,c,)^F ^^'^ m(B',c'p) 

= m(B",c'p'). Therefore, by (32) and (31) 

=l-v'ar(Ci[q(v)],ci)CF = 3_ yar(Ci [q(v)]xi)CF and m(B',CF) = m(B,CF). (33) 

By the definition of x', Var(C|[q(v)], C|)n yar(x') C yar(C|[C[p(t)] || tell(v = ?)], q). 
Then, by the definition of derivation and since d G D; , 

(Di.C|[q(v)],C|) ^ (Di.C|[C[p(t)] II tell(v = r)],C|) ^* (Di.B',c'F) 

and then the thesis follows from (33). 

Case 4: d' is obtained from d by either an ask simplification or a tell simplification. 
We consider only the first case (the proof of the other one is analogous and hence 
it is omitted). Let 

-d': q(r)^CE;=iask(cj)^Aj],and 

-d: q(r)^C[EjLiask(cj)^Aj], 
where for j G [l,n], V ^ ^-var(^(r),CAi) (pc(C[]) A Cj) ^ (pc(C[]) A cj). According 
to the definition of pc and by Lemma A.l, for any derivation x for 

n 

(Di.C|[C[;^ ask(c]) ^ Aj] II tell(v = ?)], c,) 
j=i 
there exists a derivation x' for 

n 

(Di.C|[C[;^ask(cj) ^ Aj] II tell(v = r)],C|) 
j=i 

which performs the same steps of x (possibly in a different order) and such that 
whenever the choice agent inside C[ ] is evaluated the current store implies pc(C[ ]). 
Therefore the thesis follows from the above equivalence. 

Case 5: d' is the result of a branch elimination or of a conservative ask elimination. 
The proof is straightforward by noting that: (a) according to Definition 4.1 we 
consider also inconsistent stores resulting from non-terminated computations; (b) 
an ask action of the form ask(true) always succeeds. 
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Case 6: d' is the result of a distribution operation. Let 
-d: q(r)^C[H|| EjLi ask(cj) -. Bj] e D, 
- d' : q(r) ^ CE;.i ask(cj) ^ (H || Bj)] £ D.+i 

where e = pc(C[ ]) and for every constraint c such that Var(c) D Var{d) C 
Var{q{r), C), if (Dj.H,c A e) is productive then both the foUowing conditions hold: 

— there exists at least one j E [l, n] such that 2? ^ (c A e) ^ Cj 
— for each j G [1, n], either 2? (= (c A e) ^ Cj or 2? ^ (c A e) ^ -iCj. 

In this case C = (Di+i.C|[q(v)],C|) ^ (Di+i.C|[CE]li ask(cj) ^ (H || Bj)] || tell(v = 
r)],C|) ^* (Di+i.B,CF}. By the inductive hypothesis, there exists a derivation 

n 

X= (Di.C|[C[^ask(cj) ^ (H || Bj)] || tell(v = r)],c,) ^* (Di.B^c'p') 
with 

^-Var{C,[C[J2':^^ask{ci)^{H \\ Bj)] || tell(v=r)]x,)^F = 
^^Var{Q[C[J2.^^^sk(ci)^(H \\ Bj)] |[ tell(v=r)]x,)^F 

and 

m(B",c'p') = m(B,CF). (34) 

Moreover, since yar(C|[q(v)], c,) C Var(C|[CE"^i ask(cj) -^ (H || Bj)] || tell(v = 
r)],C|), we have that 

3-yar(C|[q(v)],q)CF = 3_ \/ar(C| [q(v)],C|)CF- (35) 

Now, we distinguish two cases: 

1) X^Li ask(cj) -^ (H II Bj) is not evaluated in x- In this case the proof is obvious. 

2) X]j"=i ask(cj) — + (H II Bj) is evaluated in x- We have two more possibilities: 
2a) There exists h e [1, n], such that 

X- (Di.C,[CE;^iask(cj) ^ (H || Bj)] || tell(v = r)],C|) ^* 

(Di.C^E;^,ask(q) ^ (H II Bj)],c^) ^ (Di.U[H || Bh],c^) ^* (Di.B",c'F') 

where 2? ]= Cm ^ Ch . In this case the thesis follows immediately, since using d one 
can obtain the agent Cm[H || Bh] after having evaluated the choice agent in C[ ]. 
2b) There is no /i e [1, n], such that 2? \= Cp ^ Ch. In this case 

c'p' is satisfiable, m(B",c'p') = dd, (36) 

B" is the agent Cf[E"=i ask(cj) -^ (H || Bj)] and 

X = (Di.C|[CEjLi ask(cj) ^ (H || Bj)] || tell(v = ?)], q) ^* 
(Di.CFEjLiask(cj)^(H||Bj)],c'p')/>. 

^From the definition of derivation, the definition of B" and the hypothesis that 
EjLi ask(cj) -^ (H II Bj) is evaluated in x, it follows that CFiX^Li ask(cj) -^ (H || Bj)] 
is of the form Ai || ... || X]Liask(cj) — * (H || Bj) || ... || A|, where either Ak is 
a choice agent or Ak = Stop. By Lemma A.l, V ^ Cp -^ pc(C[ ]) and by 
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definition of derivation Var{cp) n Var{d) C Var(q(r),C). Then, since there is 
no j G [i,n] such that V |= Cp -^ Cj, by definition of distribution, (Di.H,Cp) 
is not productive. Then, by definition, (Di.H,Cp) has at least one finite deriva- 
tion XI = (Di.H,c'p') -^* (Di.H',c'p) 74 such that V |= 3_^ c'p' ^ 3_^ c'p, where 
Z — Var{H). Moreover, since in a derivation we can add to the store only constraints 
on the variables occurring in the agents, Cp = 3_y„r(H,c") Cp = 3_yar(H.c") c'p holds. 
Without loss of generality, we can assume that Var{xi) n Var{x) Q Var(H,Cp). 
Therefore, by the previous observation. 



-V'ar(CFE;^^ask(cj)^(H || Bj)]x^') ^F 



(37) 



and since (Di.CpEjLi 3sk(cj) -^ (H || Bj)],Cp} -/^ and (Dj.H'jCp) y^, there exists a 
derivation 

X'= (Di.Ci[C[H|| EjLiask(cj)^Bj] || tell(v = r)],C|) ^* 

(Di.CF[H II EjLiask(cj) ^ B,],c'p') ^* (D^CfIH' || E;=i ask(cj) ^ Bj],c'p) /> . 

Moreover, since d G Dj, there exists a derivation 

e - (Di.Ci[q(v)],c|) ^ (Di.Ci[C[H II EjLiask(cj) ^ Bj] || tell(v = r)],ci) ^* 

(D,Cf[H II EjLiask(cj) ^ Bj],c'p') ^* (DlCfIH' || EjLiask(cj) ^ Bj],c'p) /. . 

Finally, to prove the thesis it is sufficient to observe that from (34), (36), (37) and 
from the definition of B' = Cf[H' || EjLiask(cj) -^ Bj] it follows that m(B',Cp) = 
m(B,CF) = dd. Moreover 

3-yar(Ci[q(v)]xi)CF = (by coustructiou) 

3-yar(C,[q(v)]x,)(c'p'A3_^^^^^^j^ II ^^^^3,k(c,)^Bj],4)^F) = (^Y (37)) 

3-yar(Ci[q(v)],ci)CF = (by (35)) 

3-yar(C,[q(v)],c,)CF 

which concludes the proof of this case. 

Case 7: d' is the result of a folding. 
Let 

- d : q(r) ^- C[H] be the folded declaration (g D;), 

- f : p(X) ^ H be the folding declaration (g Dq), 

- d' : q(r) ^- C[p(X)] be the result of the folding operation (g Dj+i) 

where, by hypothesis, Var{d)nVar{X) C Var(H) and Var{H)n{Var{f)LI Var{Q) C 
Var(X). In this case ^ = (Di+i.C|[q(v)],C|) -^ (Di+i.C|[C[p(X)] || tell(v = ?)], c,) -^* 
(Dj+i.BjCf) and we can assume, without loss of generality, that Var(C|[q(v)], C|) n 
Var(H) = 0. 
By the inductive hypothesis, there exists a derivation 

X - (Di.C|[C[p(X)] II tell(v - r)],c,) ^* (Di.B",c'p'), 

'^Itll ^-Var(Q[C[p{X)] \\ tell(v=r)] ,c,)^F = ^ -Var{Q[C[piX)] \\ tell(v=r)],c,)^F and 

m(B",c'p') = m(B,CF). (38) 

Since yar(C|[q(v)], C|) C Var(C|[C[p(X)] || tell(v = r)],C|), we have that 

3-yar(Ci[q(v)]xi)CF = ^-Var{C,[q{v)],c,)<^F- (39) 
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Since by hypothesis for any agent A', 0(00. A') = 0(0;. A'), there exists a derivation 

Co = (Oo.C|[C[p(X)] II tell(v = r)],C|) ^* (Oo.Bo,co) 
such that 3_,,^^(^^j^jp(^^j II t,||(,^f)]^„)Co = 3_^„^(c,[C[p(x)] || teii(v=f)],c,)CF ^nd m(Bo,co) 

m(B",c'p'). By (38), (39) and since Var(C|[q(v)],C|) C Far (C|[C[p(X)] || tell(v = 
r)],C|), we have that 

=l-V'ar(Ci[q(v)]xi)CO = ^-Var(C,[q{y)],Q)CF and m(Bo,Co) = m(B, Cp). (40) 

Let f : p(X') ^ H' be an appropriate renaming of f, which renames only the vari- 
ables in X, such that Var{d)n Var{f') = (note that this is possible, since Var(H)n 
(Var(r)uyar(C)) C Var0<.)). Moreover by hypothesis, Var(Ci[q(v)],C|)n Var(H) = 
0. Then, without loss of generality we can assume that Var(^o) H Var(f' ) ^ if and 
only if the procedure call p(X) is evaluated, in which case declaration f is used. 
Thus there exists a derivation 

(Do.C|[C[H' II tell(X = X')] || tell(v = r)],C|) ^* (Do.B(„co), 

where m(Bo,co) = m(Bo,co). By (40) we have 

m(B(„co) = m(B,CF). (41) 

We show now that we can substitute H for H' || tell(X = X') in the previous deriva- 
tion. Since f : p(X') ^ H' is a renaming of f : p(X) ^- H, the equality X = X' 
is a conjunction of equations involving only distinct variables. Then, by replac- 
ing X with X' and vice versa in the previous derivation we obtain the derivation 
Xo = (Do.C|[C[H II tell(X' = X)] || tell(v = ?)], c,) ^* (Oo.B(,',cE,) where 

-yar(Ci[C[H || tell(X'=X)] || tell(v=r)],C|)''0 = ^-yar(Ci[C[H || tell(X'=X)] || tell(v=f)] ,C|)'-0 

and m(Bg,CQ) = m(Bg,co). 

^From (41) it follows that 

m(B;',4) = m(B,CF). (42) 

Then, from (40) and since Var(C|[q(v)],C|) C Var{Q[C[H \\ tell(X' = X)] || tell(v = 
r)],C|) we obtain 

3-yar(C|[q(v)],C|)Co = ^-Var{Q[q{y)].c,)<^F- (43) 

Moreover, we can drop the constraint tell(X' = X), since the declarations used 
in the derivation arc renamed apart and, by construction, Var(C|[C[H] || tell(r = 
v)],C|) n Var{X') = 0. Therefore there exists a derivation (Oo.C|[C[H] || tell(v = 
r)],C|) -^* (Ofl.BcCo) which performs exactly the same steps of xo, (possibly) ex- 
cept for the evaluation of tell(X' = X), and such that 3 ,, ,^ ,_,, „ n ,,,. _,, ,co = 

^ \ /7 — Wir(C|[C[HJ II tell(v— r)J,C|) ^ 

^-Var{Q[C[H] \\ teii(v=f)],c,)'^o and m(Bo,co) = m(B(,',c(,). ;From (42), (43) and since 
Var(C|[q(v)],C|) C Var{Q[C[H] \\ tell(v = ?)], C|), it follows that 

m(Bo,Co) = m(B,CF) and 3_yar(Ci[q(v)],C|)C0 = 3_yar(Ci[q(v)],C|)CF. (44) 

Since O(Do.A') = 0(0;. A') holds by hypothesis for any agent A', there exists a 
derivation 

(Di.C|[C[H] ||tell(v = r)],C|)^*(Di.B',c'F) 
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where 

-Var(Q[C[H] \\ tell(v=r)]xi)^F ^ ^- Var{C,[C[H] \\ tell(v=r)] ,C|)^0 

andm(B',c'p) = m(Bo,co). From (44) and since yar(C|[q(v)], C|) C Var(C|[C[H] || tell(v = 
r)],C|), we obtain 

rn(B',Cp) = m(B,CF) and ^^Var{C,[q(v)],Q)<^'F = ^-Var(C,[q(v)],Q)CF- (45) 

Finally, since d : q(r) ^ C[H] G Dj, there exists a derivation 

e' = (Di.C|[q(v)],C|) ^ (Di.C|[C[H] It tell(v = r)],C|) ^* (Di.B',c'F) 

and then the thesis follows from (45). D 

Before proving the total correctness result we need some technical lemmata. Here 
and in the following we use the notation Wt (with t £ {ss, dd, ff}) as a shorthand for 
indicating the success weight Wss, the deadlock weight Wdd and the failure weight 

Wff. 

Lemma A. 3. Let q(r) ^ H G Dq, t e {ss,dd,fF} and let C[ ] be context. For 
any satisfiable constraint c and for any constraint c' , such that Var (C[q(t)],c) n 
Var(J) = and Wt(C[q(t)], c, c') is defined, there exists a constraint d' such that 
Wt(C[q(r) II tell(t = r)],c,d') < Wt(C[q(t)], c, c') and3_var(ciq(t)].c)d' = 3_v'ar(C[q(t)],c)c'- 

Proof. Immediate. D 

Lemma A. 4. Let q(r) ^ H G Dq and t G {ss, dd,ff}. For any context C\[ ], any 
satisfiable constraint c and for any constraint d , the following holds. 

{1) If Var(H) n Var{C\,c) C Var(r) and Wt(C|[q(r)], c, c') is defined, then there 
exists a constraint d' , such that Var(d') C yar(C|[H], c), Wt(C|[H], c, d') < 

Wt(C|[q(r)],C, C') and 3_ v'ar(Ci[q(r)]x)d' = ^~Var(C,[q{r)],c)C' ■ 

(2) IfVar{H)nVar{Q,c) C Var{r), Var {c')n Var (r) C Var{Q[H],c) a«rf Wt(C|[H],c,c') 
is defined, then there exists a constraint d' , such that 

Wt(C|[q(r)],C, d') < Wt(C|[H],C,c') and 3_ v'ar(C|[q(r)],c)d' = ^-Var{Qlq{r)],c)C' . 

Proof. Immediate. D 

The following Lemma is crucial in the proof of completeness. 

Lemma A. 5. Let < i < n, t e {ss, dd,ff}, c\ : q(r) ^ H G Dj, and let cl' : 
q(r) <— H' be the corresponding declaration in Dj+i (in the case i < n). For any 
context C| [ ] and any satisfiable constraint c and for any constraint c' the following 
holds: 

(i) // Var(H) n Var(C|,c) C Var{r) and Wt(C|[q(r)], c, c') is defined, then there 
exists a constraint d' , such that Var{d') C yar(C|[H], c), Wt(C|[H], c, d') < 

Wt(C|[q(r)], C,C') and 3_ v-ar(C|[q(r)]x)d' == ^-Var(C,lq{r)],c)C' ; 

(2) If Var{h\,h\') n Var{Q,c) C Var{r), Var{c') n Var(r) C Var(C|[H],c) and 
Wt(C|[H], c, c') is defined, then there exists a constraint d' , such that Var{d') C 
Var(C|[H'],c), Wt(C|[H'],c,d') < Wt(C|[H], c, c') and 

3-yar(Ci[q(f)],c)d' = 3_ ^^^(Ci [q(r)] ,c)C' • 
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Proof. Observe that, for i — 0, the proof of 1 follows from the first part of 
Lemma A. 4. We prove here that, for each i > 0, 

a) if 1 holds for i then 2 holds for i; 

b) if 1 and 2 hold for i then 1 holds for i + 1. 

The proof of the Lemma then follows from straightforward inductive argument. 

a) If cl was not affected by the transformation step from D; to Di+i then the 
result is obvious by choosing d' = ^-var{c,[H],c)'^' ■ Assume then that cl is affected 
when transforming D; to Di+i and let us distinguish various cases. 

Case 1: cl' G Di+i was obtained from D; by unfolding. 
In this case, the situation is the following: 

- cl : q(r) ^ C[p(t)] £ D, 

- u : p(s) ^ B e Di 

-cl': q(r)^C[B || tell(t = 1)] G Dj+i 
where cl and u are assumed to be renamed so that they do not share variables. 
Let n = Wt(C|[C[p(t)]],c,c'). By the definition of transformation sequence, there 
exists a declaration p(s) ^ Bq G Dq. Moreover, by the hypothesis on the variables, 
Var(C[p(t)],C[B || tell(t = s)]) n Var(C|,c) C Var{r) and then Var {Q[C[p{t)]],c) D 
yor(s) = 0. Therefore, by Lemma A. 3, there exists a constraint di, such that 

Wt(C|[C[p(i) II tell(t = i)]],c,di) < Wt(C|[C[p(t)]],c,c') = n (46) 

and 

=l-V'ar(Ci[C[p(t)]]x)dl = =>_ V'ar(Ci [C[p(t)]]x)C'- (47) 

By the hypothesis on the variables and since u is renamed apart from cl, Var(B) n 
Var(C|,C,t,c) = and therefore Var(B) n Var{C\[C[ ] || tell(t = s)],c) C Var(s). 
Then, by Point 1, there exists a constraint d', such that Var{d') C yar(C|[C[B || tell(t = 
s)]],c), Wt(C|[C[B II tell(t = s)]],c,d') < Wt(C|[C[p(s) || tell(t == s)]],c,di) and 

^-yar(C,[C[p(S) II tell(t=i)]],c)^ = ^- V'ar(C, [C[p(S) || tell(t=s)]] ,c)^l- 

By (46), Wt(C|[C[B || tell(t = s)]],c,d') < n. 

Furthermore, by hypothesis and construction, Var{c',d')riVar{f) C Var(C|[C[p(t)]], c) 
and, without loss of generality, we can assume that Var{di)r\Var{r) C yar(Ci[C[p(t)]], c). 

Then, by (47) and since Var(Ci[C[p(t)]], c) C Var(Ci[C[p(s) || tell(t == s)]],c), we 
have that J-var(CMf)].c)^' = ^-Var{Q[q('f)],cW ^-^d this completes the proof. 

Case 2: cl' is the result of a tell elimination or introduction. 

The proof is analogous to that one given for Case 2 of Proposition 4.5 and it is 

omitted. 

Case 3: cl' is the result of a backward instantiation. 

Let cl be the corresponding declaration in Dj. The situation is then the following: 

- cl : q(r) ^ C[p(t)] 

- cl' : q(r) ^ C[p(t) |1 tell(b) || tell(t = s)] 

where f : p(s) ^tell(b) || H G Dj has no variable in common with cl (the case 
cl' : q(r) ^- C[p(t) || tell(t — s)] is analogous and hence omitted). By the hypothesis, 
Var(C[p(t)],C[p(t) II tell(b) || tell(t = §)]) n Var(Ci,c) C Var{r), Var{d) D Var{r) C 
Var(Ci[C[p(t)]],c) and there exists n such that wt(Ci[C[p(t)]],c,c') = n. Then 
Var(C|[C[p(t)]],c) n Var(s) = and, without loss of generality, we can assume 
that Var(H)n Var{Cuc) = 0. 
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Moreover, by the definition of transformation sequence, there exists a declaration 
p(s) ^- Bo G Do and then, by Lemma A. 3, there exists a constraint di such that 

wt(C| [C[p(s) II tell(t = s)]], c, di) < wt(C|[C[p(t)]], c, c') = n (48) 

and 

=l-yar(Ci[C[p(t)]]x)dl = =l_V'ar(Ci[C[p(t)]]x)C • (49) 

Using the hypothesis on the variables and since f is renamed apart from Var(r), 
we have that 

Var(tell(b) || H) n Var{Q[C[ || tell(t = s)]],c) C Var{s). 

Then, from Point 1 of the Lemma (assumed as hypothesis) and (48) it follows that 
there exists a constraint d2 such that 

Wt(C|[C[tell(b) II H II tell(t = s)]],c,d2) < wt(C|[C[p(s) |t tell(t = s)]],c,di) < n (50) 

and 

^-Var{Q[C[p{s) \\ tell(t=s)]]x)'^2 = ^ ^ Var{Q[C[p{s) \\ tell(t=~s)]] ,c)*^l (^1) 

hold. By definition of weight, we can assume that Var{di) C Var(C|[C[p(s) || tell(t = 
s)]],c) and therefore, we have that Var{h) O Var{C\[C[p{s) || tell(t — s)]],c, di) C 
Var(s). 
We have now two cases: 

1) T) \= ^-Var{s)^i ~* ^-Var(s)^- In this casc, by (48), there exists a derivation 

? = (Do.C|[C[p(i) II tell(t - s)]], c) ^* (Do.Bf,cf), 
such that m(BF,CF) = t, wh{^) < n and 

^-Var{Q[C[p{~s) \\ te\\(i=~s)]lcf^ " ^- yar(C, [C[p(s) || tell(t=s)]] ,c)*^l- 

By the hypothesis on the variables, we can build a derivation 

X = (Do.C,[C[p(t) II tell(b) II tell(t = i)]],c) ^* (Do-B'p, 63) 

which performs exactly the same steps of S,, plus possibly a tell action, such that 
wh{x) < ": fTilBFida) = m(BF,CF) and 

-Var(C|[C[p(s) || tell(t=s)]] ,c)°3 ^ ^- yar(C| [C[p(s) || tell(t=5)]]x)°l ' '^^'' 

Let d' = 3_^^^(^^j^jp(j^ II ^^ii^^j II ^,|,(j^5)]] ,)d3. By the previous result and by defini- 
tion of weight Wt(C|[C[p(t) II tell(b) II tell(t = s)]],c,d') < n. 

Moreover, by hypothesis, Var(c',d') fl Varij) C Var(C|[C[p(t)]],c) and we can 
assume, without loss of generality, that Var(di,d2) n Var(r) C yar(C|[C[p(t)]],c). 
Then, by (49), (52) and by definition of d', it follows that ^-var{C\[ai(r)],c)'^' = 
3-i/ar(Ci[q(f)],c)c' and then the thesis holds. 

2) V Y^ 3_Var(s)dl -^ 3_Var(s)b. In this CaSC, by (51), V y= 3-Var(s)<^2 -^ ^-Var(s)^- 

By (50) this means that there exists a derivation 

e-(Do.C|[C[tell(b) II H ||tell(t = i)]],c)^* (Do.Bf,cf)7^ 
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such that tell(b) || H || tell(t = i) is not evaluated in ^, m(BF,CF) = t, wh(£_) < n and 

-yar(C|[C[tell(b) || H || tell(t=s)]]x)"-F ^ ^- yar(C| [C[tell(b) || H || tell(t=5)]],c)°2- % dehui- 

tion, we can construct another derivation 

X - (Do.C|[C[p(t) II tell(b) II tell(t = 1)]], c) ^* (Do.B'f,cf) /> 
which performs exactly the same steps of ^ (and therefore wh{x) < n) and such that 
m(BF,CF) = m(B'F,CF). Let d' - ^_var(CACW) II teii(b) II teii(t=~s)]],c)CF- ^Y definition 
of derivation 

Var{cf)r\ yar(C|[C[tell(b) || H || tell(t == s)]], c) C Var(C|,C,c) 

and therefore ^_Var(Ct[C[ts\\(h) \\ H || tell(t=s)]],c)° ^ ='- V'ar(C|[C[tell(b) II H II tell(t=s)]],c)°2- 

The remainder of the proof is now analogous to that one of the previous case. 

Case 4: Either cl' is the result of an ask simplification or cl" is the result of a tell 
simplification. The proof is analogous to that one given for Case 4 of Proposition 4.5 
and hence it is omitted. 

Case 5: cl' is the result of a branch elimination or of a conservative ask elimination. 
The proof is straightforward by noting that: (a) according to Definition 4.1 we 
consider also inconsistent stores resulting from non-terminated computations; (b) 
an ask action of the form ask(true) always succeeds; (c) if we delete an ask(true) 
action we obtain a derivation whose weight is smaller. 

Case 6: cl' is the result of a distribution. 
Let 

-cl: q(r)^C[H|| EjLi ask(cj) ^ Bj] G D, 

- cl' : q(r) ^ CEj=i ask(cj) ^ (H || Bj)] e D.+i 

where e = pc(C[ ]) and for every constraint e' such that Var{e') n yar(cl) C 
Var(q(r), C), if (Di.H,e' A e) is productive then both the following conditions hold: 

— there exists at least one j G [1, n] such that T) |= (e' A e) ^ Cj 
— for each j G [1, n], either I? [= (e' A e) ^ Cj or I? |= (e' A e) ^ -iCj 

We prove that, for any derivation 

n 

i = (Do.C|[C[H II ^ask(cj) ^ Bj]],c) -.* (Do.B,d) 
j=i 
with m(B,d) G {ss, dd,ff}, there exists a derivation 

n 

e' = (Do.C|[C[5]ask(cj) ^ (H || Bj)]],c) -.* (Do.B',d') 
such that 

^-yar(C,[C[H II ^^^^ ask(cj)^Bj]],c)'^ ^ ^- \/ar(C, [C[H || ^^^^^ ask(cj)^B,]],c)'^ 

where also wh{£,') < wh{£,), and m(B', d') = rn(B, d). This together with the defini- 
tion of weight implies the thesis. 
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If H II X]h=i ask(cj) -^ Bj is not evaluated in ^, then the proof is immediate. 
Otherwise we have to distinguish two cases: 

1) There exists an h E [1,«], such that 

e = (Do.C|[C[H II EjLiask(cj) ^ Bj]],c) ^* (Do.C^[H || E;=iask(cj) ^ Bj],d,) 
^(Do.Cr,[H II Bh],d^)^* (Do.B,d} 

and 2? 1= dm ^ Ch. In this case we can construct the derivation 

X= (Do.C|[CEjLiask(cj)^(H||Bj)]],c) 
^* (Do.CmEjLiask(cj) ^ (H II Bj)],dm) 
^(Do.Cm[H||Bh],dm)^*(Do.B,d) 

which performs exactly the same steps of ^ and then the thesis holds. 

2) ^ is of the form 

e = (Do.C|[C[H II EjLiask(cj) ^ Bj]],c) ^* (Do.U[H || E;=iask(cj) ^ Bj],dm) 
^ (Do.Cm[H' II EjLiask(cj) ^ Bj],dm+i) -^* (Do.B,d). 

By Lemma A.l and by definition of pc, we can construct another derivation 

X= (Do.C|[C[H II EjLiask(cj) ^ Bj]],c) ^* (Do.C^[H || E;=i ask(q) ^ Bj],dm) 
^* (Do.Ck[H II EjLiask(cj) ^ Bj],dk) ^* (Do.B,d) 

which performs the same steps of ^ (possibly in a different order) and such that 
the the agent H is not evaluated in the first k steps, where Var{dk) D Var{c\) C 
Var(q(r),C) and V h dk ^ e(= pc(C[ ])). Let xi - (Do.Ck[H || EjLi ask(cj) -> 
Bj],dk) -^* (Do.Bjd). Now, if (Do.H,dk) is not productive, the proof is analogous 
to that one of Case 6 of Proposition 4.5 and hence it is omitted. Then assume 
that (Do.H,dk) is productive. By definition of distribution there exists at least one 
j G [1, n] such that P ^ dk ^ Cj and for each j £ [1, n], either 2? 1= dk — > Cj or 2? ^ 
dk -^ -iCj. Then, by definition, there exists a derivation ^i = (Do-Ck[Ei=i ask(cj) -^ 
(H II Bj)],dk} -^* (Dq.B, d), which performs the same steps of xi (possibly in a 
different order). 

Therefore there exists a derivation 

C = (Do.C|[C[EjLiask(cj) ^ (H || Bj)]],c) ^* (Do.C.[E;=i ask(cj) ^ (H || Bj)],d^) 
-* (Do.Ck[E;=iask(cj) ^ (H II Bj)],dk) ^* (Do.B,d) 

which performs the same steps of x (in a- different order). By construction wh{^') = 
wh{x) — wh{^) and then the thesis holds. 

Case 7: cl' is the result of a folding. 
Let 

- cl : q(r) ^- C[B] be the folded declaration (g Dj), 

- f : p(X) ^ B be the folding declaration (e Dq), 

- cl' : q(r) ^- C[p(X)] be the result of the folding operation (g Dj+i), 

where, by hypothesis, Var(cl) n Var{X) C Var{B), Var{B) n Var{f,Q ^ Var{X), 
Var(C[B],C[p(X)])n Var{Q,c) C Var{r), Var(c') n Var(r) C Var {Q[C[B]],c) and 
there exists n such that Wt(C|[C[B]], c, c') = n. Then, 

Var(B) n Var(C|[C[ ]],c) C Var(B) n Var(r, C) C Var{X) (53) 

ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year. 



App-12 • Sandra Etalle et al. 

and 

Var{c') n Var{r) C yar(C|[C[B]], c) n Var(r) C Var{Q[C[p{X)]],c) (54) 

hold. Moreover, we can assume without loss of generality that Var{c') D Var{X) C 

Var(C|[C[B]],c). 

Since f e Do, from (53) and Point 2 of Lemma A. 4 it follows that there exists a 

constraint d' such that wt(Ci[C[p(X)]],c,d') < Wt(Ci[C[B]],c,c') and 

3-yar(C,[C[p(X)]]x)d' = ^ - Var (Q[C[p(X)]] ,cf' ' ^^^^ 

We can assume, without loss of generality, that Var(d') C yar(C|[C[p(X)]],c). Then 
by using (54) and (55) we obtain that 3_ ^^^(ciqpjixjd' = ^-Var{Qlqi?)],c)<^' which 
concludes the proof of a) . 

b) Assume that the parts 1 and 2 of this Lemma hold for « > 0. We prove that 
1 holds for « + 1 > 0. 

Let cl : q(r) ^ H G Dj+i, and let cl : q(r) ^ H be the corresponding declaration 
in Dj. Moreover let C|[ ] be a context, c a satisfiable constraint and let c' be a 
constraint, such that yar(H) n Var{C\,c) C Var(r) and Wt(C|[q(r)], c, c') is defined. 
Without loss of generality, we can assume that Var{\-\)r\Var{C\,c) C Var{r). Then, 
since by inductive hypothesis, part 1 holds for i, there exists a constraint di such 
that Var(di) C Var{Q[H],c), 

Wt(C|[H],C,di) < Wt(C|[q(r)], C,C') and 3-VariQ[q(:)],c)(il = 3- Var(Ci[q(r)]x)C'. (56) 

Since by inductive hypothesis part 2 holds for i, there exists a constraint d', such 
that Var(d') C yar(C|[H],c), wt(C|[H],c,d') < wt(C|[H], c, di) and 3_ vor(Ci[q(r)],c)d' = 

3-yar(C|[q(r)],c)dl- 

By (56) we obtain Wt(C|[H],c,d') < Wt(C|[q(r)],c,c') and 

3-yar(C|[q(f)],c)d = 3_ V'ar(C| [q(r)]x)C 

and then the thesis holds. D 

Lemma A. 6. Let < i < n, ci,Cm satisfiable constraints, Ck a constraint and 
assume that there exists a derivation S, '■ (Di.Ai,Ci) -^* (Di.Am,Cm) -^* (Di.A|<,Ck), 
such that 

i). in the first m — 1 steps of ^ rule R2 is used only for evaluating agents of the 
form ask(c) -^ B, 

a). Wt(Ai,Ci,Ck) is defined (for t = m(Ak,Ck) G {ss, dd,ff}j. 

Then there exists a constraint d such that Var{c') C Var(Am,Cm), ^-Var{i\i.ci)'^k = 
3-yar(Ai,ci)c' and Wt{A^, c^, c') < wt(Ai, ci, Ck). 

Proof. We prove the thesis for one derivation step. Then the proof of the 
Lemma follows by using a straightforward inductive argument. Assume that Ci, C2 
are satisfiable constraints, Ck is a constraint and that there exists a derivation 

(Di.Ai,ci) ^ (Di.A2,C2) ^* (Di.Ak,Ck) 

such that m(Ak,Ck) G {ss,dd,fF} and the first step can use rule R2 only for eval- 
uating agents of the form ask(c) -^ B. By the definition of derivation we have 
Al — Ci[A], where Ci[ ] is not a guarding context. We have now three cases: 
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1) A = tell(c). In this case 

(Di.Ci[tell(c)],ci) ^ (Di.Ci[Stop],ci Ac) ^* (Di.Ak,Ck). 
Since Ci [ ] is not a guarding context the definition of weight implies that 

Wt(Ci[StOp],Ci A C,3_Var(Ci[St„p],ci/\c)Ck) = Wt (Ci [tell (c)] , Ci , Ck) 

where t = m(Ak,Ck). Then the thesis holds 

2) A = q(v) and there exists a declaration cl : q(r) ^ B G D;. In this case 

(Di.Ci[q(v)],ci) ^ (Di.Ci[B II tell(v = r)],ci) ^* (Di.Ak,Ck). 

^From the definition of derivation it follows that Var(Ci[q(v)], Ci) n Var(q(r)) = 
0. Furthermore, by definition of transformation sequence, there exists a decla- 
ration q(r) ^— H G Dq. Since Wt(Ci[q(v)],Ci, Ck) is defined by hypothesis (where 
t = m(Ak,Ck)), from Lemma A. 3 it follows that there exists a constraint d' such 
that Wt(Ci[q(r) || tell(v = r)],ci,d') < Wt(Ci[q(v)],Ci, Ck) and 3-yar(Ci[q(v)],ci)d' = 

3-Var(Ci[q(v)],ci)Ck- 

^From the definition of derivation it follows that Var(B) n Var{Ci[ \\ tell(v = 
'^)]jCi) C Var(J). Part 1 of Lemma A. 5 implies that there exists a constraint 
c' such that Var{c') C Var(Ci[B || tell(v = ?)], ci), Wt(Ci[B || tell(v = r)],ci,c') < 
Wt(Ci[q(r) II tell(v = r)],Ci, d') and 

='-V'ar(Ci[q(f) || tell(v=r)] ,ci)^ ^ "^ - Var(Ci[q(:) \\ tell(v=r)] ,ci)° " 

These results together with the inclusion Var(Ci[q(v)],Ci) C Var{Ci[q{r) \\ tell(v = 
r)],Ci) imply that Wt(Ci[B || tell(v = ?)], ci,c') < Wt(Ci[q(v)],Ci, Ck) and 

3-yar(Ci[q(v)],ci)C = 3_ V'ar(Ci [q(v)] ,ci)Ck, 

thus concluding the proof for this case. 

3) A = ask(c) -^ B and 2? |= Ci ^ c. In this case 

(Di.Ci[ask(c) ^ B],ci) ^ (Di.Ci[B],ci) ^* (Di.Ak,Ck). 

Since Ci [ ] is not a guarding context and 2? |= Ci ^ c we obtain 

Wt(Ci[B],ci,3_yar(Ci[B],ci)Ck) < wt(Ci[ask(c) -^ B],ci,Ck) 

where t — m(Ak,Ck), which concludes the proof. D 

We need one last lemma. 

Lemma A. 7. Letc be a satisfiable constraint, A be the agent Ai \\ ... || A|, where 
for any j G [1, 1] either Aj is a choice agent or Aj = Stop and assume there exists a 
split derivation i> in Dq, 

V = (Do.A,c) ^ (Do.A',c') ^* (Do.B,d), 

where m(B,d) G {ss,dd,ff}. Then (Di.A,c} -* (Do.A',c'} ->* (Do.B,d) is a split 
derivation in Dj U Dq. 

Proof. The proof is straightforward, by observing that by the hypothesis on A 
the first step of ly uses the rule R2 (in case such a step exists) and therefore, by 
definition of split derivation, Wt(A,c,d) > Wt(A',c',d), where t = m(B,d). Then by 
definition, (Di.A,c) -^ (Do.A',c') -^* (Dq.B, d) is a split derivation in Dj U Dq. D 
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We can now prove our main theorem. 

Theorem 4.13 (Total Correctness). Let Do, . . . , Dn be a transformation se- 
quence. Then, for any agent A, 

-OlDo.A) = O(Dn.A). 

Proof. The proof proceeds by showing simultaneously, by induction on z, that 
for i G [0, n]: 

(1) for any agent A, 0{Do.A) = O(Di.A); 

(2) Di is weight complete. 

Base case. We just need to prove that Dq is weight complete. Assume that there 
exists a derivation (Dq.A, C|) — >* (Do.B,cf), where C| is a satisfiable constraint and 
m(B,CF) G {ss,dd,fF}. Then there exists a derivation ^ : (Do.A,C|) -^* (Do.B',Cp), 
such that m(B',Cp) — m(B, cp), whose weight is minimal and where ^- var { a, c,)'^f: = 
3-i/ar(A,ci)CF- It foUows from Definition 4.7 that ^ is a split derivation. 

Induction step. 

By the inductive hypothesis for any agent A, O(Do.A) = 0{D]^i.A) and Di_i is 
weight complete. From propositions 4.5 and 4.9 it follows that if Dj is weight 
complete then for any agent A, O(Do.A) = O(Di.A). So, in order to prove parts 1 
and 2, we only have to show that D; is weight complete. 

Assume then that there exists a derivation (Dq.A, C|) -^* (Dq.B, cf) such that C| is 
a satisfiable constraint and m(B,CF) G {ss, cld,ff}. ^^From the inductive hypothesis 
it follows that there exists a split derivation 

X = (Di_i.A,C|) -^* (Di_i.A^,c^) ^ (Do.A^+i,c„+i) -^* (Do.B",c'f') 

where 

3-var(Axi)CF = ^- var{A,c,)CF and m(B",Cp) = m(B,CF). (57) 

Let d £ Di_i\Di be the modified clause in the transformation step from Di_i to D;. 

If in the first m steps of x there is no procedure call which uses d then clearly 
there exists a split derivation ^ in Dj U Dq, 

^ = (Di.A,C|) -^* (Di.Am,Cm) -^ (Do.Am+i,Cm+i) -^* (Do.B",c'p') which performs 
the same steps of x and then the thesis holds. 

Otherwise, assume without loss of generality that R4 is the rule used in the first 
step of derivation x and that d is the clause employed in the first step of x- We 
also assume that the declaration d is used only once in x, since the extension to 
the general case is immediate. 

We have to distinguish various cases according to what happens to the clause d 
when moving from Di_i to Dj. 

Case 1: d is unfolded. 

Let d' be the corresponding declaration in Dj. The situation is the following: 

-d: q(r)^C[p(t)]eDi_i, 

- u : p(s) ^ H G Di_i, and 

-d' : q(r)^C[H || tell(t = s)] G D,, 
where d and u are assumed to be renamed apart. By the definition of split deriva- 
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tion, X has the form 

(Di_i.Ci[q(v)],C|) ^ (Di_i.Ci[C[p(t)] II tell(v = r)],ci) ^* (Di_i.A^,c^) ^ 
(Do.A^+i,c^+i)^*(Do.B",c'p'). 

Without loss of generaUty, we can assume that Var{x) H Var(u) ^ if and only if 
p(t) is evaluated in the first m steps of Xi in which case u is used for evaluating it. 
We have to distinguish two cases. 

1) There exists k < m such that the fc-th derivation step of x is the procedure 
call p(t). In this case x has the form 

(Di_i.C|[q(v)],C|) ^ (Di_i.C|[C[p(t)] II tell(v - r)],ci) ^* (Di_i.Ck[p(t)], Ck) ^ 
(Di_i.Ck[H II tell(t-s)],Ck) ^* (Di_i.A^,c^) ^ (Do.A^+i,c^+i) ^* (Do.B",c'f'). 

Then there exists a corresponding derivation in Dj U Dq 

e = (Di.C|[q(v)],C|) ^ (Di.C|[C[H II tell(t = 1)] || tell(v = r)],C|) ^* 
(Di.Ck[H||tell(t = s)],Ck)^* 
(Di.A^,c^) ^ (Do.A^+i,c^+i) ^* (Do.B",c'p'), 

which performs exactly the same steps of x except for a procedure call to p(t). In 
this case the proof follows by observing that, since by the inductive hypothesis x 
is a split derivation, the same holds for ^. 

2) There is no procedure call to p(t) in the first m steps. Therefore x has the 
form 

(Di_i.C|[q(v)],C|) ^ (Di_i.C|[C[p(t)] II tell(v = r)],ci) ^* (Di_i.C^[p(t)],c^) ^ 
(Do.C^+i[p(t)],c^)^*(Do.B",c'p'). 

Then, by the definition of Dj, there exists a derivation 

^0 = (Di.C,[q(v)],C|) ^ (Di.C,[C[H || tell(t = s)] || tell(v = ?)],€,) ^* 
(Di.U[H II tell(t = s)],c^) ^ (Do.U+i[H |1 tell(t = i)],c^). 

Observe that from the derivation (Do.Cm+i[p(t)], Cm) -^* (Do.B",Cp) and (57) it 
follows that 

Wt(Cm+i[p(t)], Cm, Cp) is dcfiucd, where t = m(B, cp). (58) 

The hypothesis on the variables implies that Var(Cm+i[p(t)],Cm) n Var{u) = 0. 
Then, by the definition of transformation sequence and since u G Di_i, there exists 
a declaration p(s) ^ Hq G Dq. By Lemma A. 3 and part 1 of Lemma A. 5 it follows 
that there exists a constraint dp such that 

Wt(Cm+i[H II tell(t = s)],Cm,dF) < wt(Cm+i[p(t)],Cm,c'F') (59) 

and 

3-yar(U+i[p(t)],c„)dF = 3_V'ar(C„,+i[p(t)],c^)CF- (60) 

Therefore, by the definition of Wt, by (59) and since Wt(Cm+i[p(t)], Cm,Cp) is defined, 
there exists a derivation 

6 = (Do.Cm+i[H II tell(t = i)], Cm) ^* (Do.B', c'^), 

where 3_^^^(^^^^j^ y j,||(j^,)]^,^)C'p = 3_^^^(^^^^j^ y ,^,^i^,)^^^^^df and, by (58), 

m(B',c'p) = m(B,CF). (61) 

ACM Transactions on Programming Languages and Systems, Vol. TBD, No. TDB, Month Year. 



App-16 • Sandra Etalle et al. 

By (60) 

3-Var(C,„+i,c^)CF = ^-Var{C^+i,c^)'^F (62) 

holds and, by definition of weight, we obtain 

Wt(C^+i[H ||tell(t = i)],c^,c'F)=wt(U+i[H || tell(t = s)],c,, dp). (63) 

Moreover, we can assume without loss of generality that Var(^o) H Var{£_i) = 
Var(Cm+i[H || tell(t = s)], Cm)- Then, by the definition of procedure call 

yar(C|[q(v)],C|) n ( Var(c'F) U Var{c'^)) C Var(U+i,c^) (64) 

and there exists a derivation 

e = (Di.C|[q(v)],C|) ^ (Di.C,[C[H II tell(t = s)] || tell(v = r)],C|) ^* 

(Di.C^IH II tell(t = s)],c^) ^ (Do.U+i[H || tell(t = i)],c^) ^* (Do.B',c'f) 

such that the first m — 1 derivation steps do not use rule R2 and the m-th derivation 
step uses the rule R2. Now, we have the following equalities 

3-yar(Ci[q(v)]xi)CF = (by (64) and by construction) 

3-yar(Ci[q(v)]xi)(Cm A 3_yar(C„+i,c„,)CF) = (by (62)) 

3-yar(Ci[q(v)],c,)(cm A ^- Var{C^+i,c^)<^F) ^ (^Y (64) and by construction) 
3-yar(Ci[q(v)],ci)CF = (by the first statement in (57)) 

3-yar(Ci[q(v)]xi)CF- 

By the definition of weight, Wt(C|[q(v)],C|,c'F) — Wt(C|[q(v)],C|,CF), by (63) and (59), 

Wt(Cm + l[H II tell(t = s)],Cm,CF) < Wt (Cm + 1 [p(t)] , Cm , Cp) and Wt(Cm+l [p(t)] , C^ , Cp ) < 

Wt(C|[q(v)], C|, Cp), since x is a split derivation. Therefore Wt(Cm+i[H || tell(t — 
s)],Cm,Cp) < Wt(C|[q(v)], C|, Cp) and then, by definition, ^ is a split derivation in 
Dj U Dq. This, together with (61), implies the thesis. 

Case 2: A tell constraint in d is eliminated or introduced. 

In the first case, let d' be the corresponding declaration in D;. Therefore the situa- 
tion is the following: 

-d: q(r)^C[tell(s = t) || H] 

-d': q(r)^C[Ho-] 
where a is a relevant most general unifier of s and t and the variables in the domain 
of (7 do not occur neither in C[ ] nor in q(r). Observe that for any derivation which 
uses the declaration d, we can construct another derivation such that the agent 
tell(s = t) is evaluated before H. Then the thesis follows from Lemma A. 5 and from 
the argument used in the proof of Case 2 of Proposition 4.5. The proof for the tell 
introduction is analogous and hence it is omitted. 

Case 3: d is backward instantiated. 

Let d' be the corresponding declaration in Dj. The situation is the following: 

-d: q(r)^C[p(t)]eDi_i, 

- d' : q(r) ^ C[p(t) || tell(b) |1 tell(t = 1)] e D,, 
where c : p(s) ^tell(b) 1| B £ Di_i has no variable in common with d (the case 
d' : q(r) ^- C[p(t) || tell(t = s)] is analogous and hence omitted). We distinguish 
two cases: 
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1) There is no procedure call to p(t) in the first m steps. Therefore x has the 
form 

(Di_i.Ci[q(v)],C|) ^ (Di_i.Ci[C[p(t)] II tell(v = r)],C|) ^* (Di_i.C^[p(t)],c^) ^ 
(Do.C^+i[p(t)],c^)^*(Do.B",c'p'). 

Without loss of generality, we can assume that Far(x)n Far(p(t) || tell(b) || tell(t = 
s)) — Var(i). Then, by the definition of D;, there exists a derivation corresponding 
tox, 

Co - (Di.C|[q(v)],C|) ^ (Di.C|[C[p(t) II tell(b) || tell(t = 1)] || tell(v = r)],C|) ^* 
(Di.C^[p(t)||tell(b)||tell(t = s)],c^)^ 
(Do.C^+i[p(t)||tell(b)||tell(t = s)],c^). 

Following the same reasoning as in Case 3 of Lemma A. 5, we can prove that there 
exists a constraint dp such that 

wt(Cm+i[p(t) II tell(b) II tell(t = s)],Cni,dF) < wt(Cm+i[p(t)], c^,, Cp) 

where 3-yar(C.+i[p(t)],c„,)dF = ^-VaT(C^+iW)lc^)'^'^ and t = m(B",c'p'). The rest of 
the proof is analogous to Case 1 (unfolding) and hence it is omitted. 

2) There is exists k < m such that the fc-th derivation step of x is the procedure 
call p(t). We distinguish two more cases: 

2a) p 7^ q. In this case we can assume, without loss of generality, that x has the 
form 

(Di_i.Ci[q(v)],C|) ^ (Di_i.Ci[C[p(t)] II tell(v = r)],ci) -.* (Di_i.Ck[p(t)],Ck) ^ 
(Di_i.Ck[tell(b) II B II tell(t = s')],Ck) ^* (Di_i.A^,c^) ^ 
(Do.A^+i,c^)^* (Do.B",c'p') 

where c' = p(s') ^ tell(b) || B is a renaming of c such that Var{c') n Var{6') = 0. 
In this case there exists a derivation 

(Di.C|[q(v)],C|) ^ (Di.C|[C[p(t) II tell(b) || tell(t = s)] || tell(v = r)],C|) ^* 
(Di.Ck[tell(b) II B II tell(t = s') || tell(b) || tell(t = s)], cr). 

Observe now that, given any set of declarations, if there exists a derivation x' 
for the configuration (C'[tell(b) || B || tell(t = s')],c'} where c' is satisfiable and 
Var{C',c')nVar{b,5) = 0, then there exists a derivation for (C'[tell(b) || B || tell(t = 
s') II tell(b) II tell(t = s)],c') which performs the same steps of x' plus (possibly) two 
steps corresponding to the evaluation of tell(b) and tell(t = s). Since (t = s')A(t = s) 
is logically equivalent to (t = s') A (s' = s), we can substitute tell(t = s') || tell(t = s) 
for tell(t = s') II tell(s' = s). Moreover, since p(s') ^- tell(b) || B is a renaming of c 
and therefore I? [= (b A (s' = s)) -^ b holds, we can drop the agent tell(b). 

Finally, observe that s' = s can be reduced to a conjunction of equations of the 
form X = Y, where X C yar(s) and Y C Var{s') are distinct variables. Therefore, 
we can drop the constraint tell(s' = s), since the declarations used in the derivation 
are renamed apart and Var(C'[tell(b) || B || tell(t = s')],c') n Var(s) = 0. Then the 
thesis holds for this case. 

2b) p = q. In this case, the situation is the following: 

-d: p(r)^tell(b')||C"[p(t)]GDi_i, 
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- d' : p(r) ^ tell(b') 1| C"[p(t) || tell(b) || tell(t = s)] e D;, 
where c : p(s) ^- tell(b) || C'[p(u)] is a renaming of d which has no variables in com- 
mon with d. Let c' = p(s') ^tell(b) || C[p(u')] be a renaming of c such that Var{c')n 
Var(d') = 0. Now the proof is analogous to the previous one by observing that, for 
any set of declarations, if there exists a derivation x' for (C'[tell(b) || C[p(u')] || tell(t = 
s')],c') where c' is satisfiable and Var(C',c') n yar(b,s) = 0, then there exists a 
derivation for (C'[tell(b) || C[p(u')] || tell(t = s') || tell(b) || tell(t = s)],c') which per- 
forms the same steps of x', plus some tell actions (analogously to the previous case, 
we can drop the tell agents tell(b) and tell(t = s)). This concludes the proof of this 
case. 

Case 4: An ask guard in d is simplified. Let 

-d: q(r)^CEjLiask(cj)^Bj], 

-d': q(r)^CE;.iask(c])^Bj]eDi, 
where for j e [l,n], V ^ 3_yar(q(f)x,Bj) (pc(C[ ]) A Cj) ^ (pc(C[ ]) A cj) and 
d G Di_i is the declaration to which the guard simplification was applied. 

By the definition of split derivation x has the form 

X= (Di_i.C|[q(v)],C|) ^ (Di_i.C|[CE;=iask(cj) ^ Bj] || tell(v = r)],C|) ^* 
(Di_i.UEjLiask(cj) ^ Bj],c^) ^ (Do.A^+i,c^) ^* (Do.B",c'f'). 

Since by the inductive hypothesis for any agent A, ©(Dq.A) = C(Di_i.A), it is easy 
to check that there exists a derivation 

X' = (Di_i.C|[q(v)],C|) ^ (Di_i.C|[CEjLiask(cj) ^ Bj] ||^tell(v = ?)],€,) ^* 

(Di_i.CmEjLiask(Cj) -^ Bj],Cm) -^* (Di_l.Cm + hE]Liask(Cj) -^ Bj],Cm + h) 

^*(Di-i.B,CF) 

such that 3_v/or(Ci[q(v)],ci)CF = 3_yar(C|[q(v)]xi)CF and m(B,CF) = m(B",c'p'). /From 
(57) it follows that 

3-yar(Ci[q(v)],ci)CF = 3_ v'ar(Ci [q(v)]xi)CF and m(B,CF) = m(B,CF). (65) 

Without loss of generality, we can assume that x' is chosen in such a way that 
the first m + h steps of x' do not use rule R2 and that h is maximal, in the sense 
that either Cm+u is not satisfiable or in the m + h + 1-th step we can only use rule 
R2. 

In the first case, let C'^^^, be the context obtained from Cm+h as follows: any 
(renamed) occurrence of the agent X^Li ask(cj) -^ Bj in Cm+h[ ], introduced in xo 
by a procedure call of the form q(s), is replaced by a (suitably renamed) occurrence 
of the agent X^Li ask(cn -^ Bj. Then, by definition of Dj, we have that 

e = (Di.C|[q(v)],C|) ^ (Di.C|[CE;=iask(cj) ^ B,] \\ tell(v = ?)],€,) ^* 
(Di.C'^+JEjLiask(cj)^Bj],c^+,) 

is a derivation in Dj which docs not use rule R2 and such that 

n 

m(C+hE3sk(Cj) -^ Bj],c^+h) = m(B,CF) = ff. 
j=i 

Then the thesis follows by definition of split derivation. 
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Now assume that Cm+h is satisfiablc. By Lemma A. 6 and (65), there exists a 
constraint d, such that Var(d) C Var {Cm+h[Y^'\=i 3sk{Cj) ~^ Bj],Cm+h) and 

n 

Wt(Cm+h[^ask(cj) -^ Bj],Cm+h,d) < Wt(C|[q(v)],C|,CF) (66) 

j=i 
where 

3-yar(Ci[q(v)]xi)d = 3_ V'ar(Ci [q(v)] ,C|)CF and t == m(B, Cp). (67) 

By definition of weight, by (66) and since Var(d) C Var {Cm+h[J2'\^i3sk{cj) -^ 
Bj],Cm+h), there exists a derivation 

n 

(Do.U+h[^ask(cj) ^ Bj],c^+h) ->* (Do.B',d') 

such that 3_^„,(c^^a^^^^ask(c,)^B,],c„+,)^' = ^ ^n'i m(B',d') = t. Then, by the 
definition of weight and by (66), 

n 

Wt(Cm+h[^ask(cj) -^ Bj],Cm+h,d') < Wt(C|[q(v)],C|, cp) (68) 

j=i 

holds. Without loss of generality, we can assume that Var{d') O Var(C|[q(v)],C|) C 
yar(Cm+hj Cm+h)- Therefore, from (67) it follows that 

3-v'ar(c,[q(v)],c,)d' = 3_ ^^^(c, [q(v)],c,)CF and m(B',d') = m(B,CF). (69) 

Let B' = C'^^|^[^"^j ask(cn -^ Bj] be the agent obtained from 

n 

B = U+h[^ask(cj)^Bj] 
j=i 

as follows: any (renamed) occurrence of the agent X]Liask(cj) -^ Bj in Cm+h[ ], 
introduced in xo by a procedure call of the form q(s), is replaced by a (suitably 
renamed) occurrence of the agent X^Li ask(cp -^ Bj. By the definition of D; and 
since (Di_i.C|[q(v)], C|) -^* (Di_i.Cm+hE]Li ask(cj) -^ Bj],Cm+h), there exists a 
derivation 

n 

Co = (Di.C|[q(v)],c,) ^* (Di.C',+,[^ask(cj) ^ Bj],c^+,), 

which does not use rule R2. Observe that, by construction, B has the form 
Ai II ... II A|, where Aj is either a choice agent or Stop for each j e [1, 1]. Moreover, 
since the first m + h steps of xo do not use rule R2 (and therefore, it is not possible 
evaluate a procedure call of the form q(s) inside a guarding context), B' has the 
form A'j^ II ... II Af, where either A- = Aj or Aj is a (renamed) occurrence of the 
agent X]Liask(cj) -^ Bj while AJ is a (suitably renamed) occurrence of the agent 
Y^"^i ask(c') ^ Bj. By Lemma A.l, V \= Cm+h -^ pc(C'[ ]), where C'[ ] is a renamed 
version of the context C[ ] in B, which was introduced in xo by a procedure call of 
the form q(s). 
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Now from the definition of derivation and of ask simplification it follows that, if 
ask(cj) ^ Bj is a choice branch in B and ask(cn -^ Bj is the corresponding choice 
branch in B', then 

^ H 3_v-ar(B,.c.+,) (^m+h A Cj) ^ (c^^+h A C^) 

holds. Therefore, by using the same arguments as in Case 4 of Proposition 4.5, 
since (by inductive hypothesis) Dq is weight complete and (Do-Cm+hEjLi ask(cj) -^ 
Bj],Cm+h) -^* (Do-B',d'), we obtain that there exists a split derivation in Dq of the 
form 

n 

j/= (Do.C+hEask(c;) ^ Bj],c^+h) ^ (Do.B^+h+i,c^+h) -^* (Do.B',c'f) 

such that 3 ,, .^, ,Y^n c'p = 3 ,, ,r, ,x^" i/ /^ m ^d' and 

m(B',c'p) = m(B',d'). 

Then, by using the same arguments as in Case 4 of Proposition 4.5, from the 
definition of weight and from (68) it follows that 

Wt(C'^+hEj"=iask(CjO -^ Bj],Cr„+h,c'F) 

Wt(C'^+JEj=iask(cj)^Bj],c^+h,d') = (70) 

Wt(Cm+hEjLiask(cj) -^ Bj],Cm+h,d') < Wt(C|[q(v)], C|,cf), 

where t = m(B',Cp). Moreover, we can assume without loss of generality that 

n 

VariCo) n Var{i^) = Var{C^+^,[J2 3sk{c\) ^ Bj],c^+h). 

Then by (69) we obtain 

3-yar(Ci[q(v)],ci)CF = ^-Var(c,[qiv)],Q)Cf and m(B',Cp) = m(B,CF) (71) 

and therefore, by definition of weight, 

Wt(C|[q(v)], C|, c'p) = Wt(C|[q(v)], C|, Cf) (72) 

holds. By Lemma A. 7 and by construction of C'^^|^E"^j ask(cj) -^ Bj] 

n 

a = (Di.C'^+J^ask(cj) ^ Bj],c,+h) ^ (Do.B,+h+i,c^+h) ^* (Do.B',c'p) 
j=i 

is a split derivation in DjUDq. By the definition of split derivation wt(Bm+h+i, Cm+h, c'p) < 
Wt(C+hEj=i ask(cj) ^ Bj],c^+h,c'p), where t = m(B',c'p). Then, by (72) and (70), 
we have that 

Wt(Bm+h+i,Cm+h,c'p) < Wt(C|[q(v)],C|,c'p). (73) 

Finally, 

e= (Di.C|[q(v)],c,) ^* (Di.C'^+JE;.iask(c]) ^ Bj],c^+,) ^ 
(Do.Bm+h + l,Cm + h} ^* (Do.B',Cp} 
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is a derivation in D; U Dq. By construction the first m + h steps of ^ do not use 
rule R2, the m + h+ 1-th step uses rule R2. Thus the thesis follows from (73) and 

(71). 

Case 5: d is the declaration to which either a branch elimination or an ask elimi- 
nation was applied. In the case of branch elimination the proof follows immediately 
from the fact that we consider also the inconsistent results of non-terminated com- 
putations. As for the ask elimination case, let us assume that 

- d : q(r) ^ C[ask(true) -^ H] e Di_i and 

-d': q(r)^C[H]GDi. 
We show, by induction on the weight Wt(C|[q(v)],C|,Cp), where t = m(B,CF), that 
there exists a split derivation ^ = (Di.Ci[q(v)],Ci) — >* (Do.B',Cp) in Dj U Do, such 
that 3_y<jr(c,[q(v)],ci)CF = 3_v'ar(Ci[q(v)],ci)CF and m(B',c'p) = m(B",c'p'). Then the 
proof follows by (57). 

Base case. In this case Wt(C|[q(v)],C|,Cp) = and by definition of split derivation, 
B" = Ck[ask(true) ^ H], x has the form 

X = (Di_i.C|[q(v)],C|) ^ (Di_i.C|[C[ask(true) ^ H] || tell(v = r)],c,) ^* 
(Di_i.Ck[ask(true)^H],c'F'), 

rule R2 is not used and therefore each derivation step is done in Di_i. Moreover, 
observe that since t e {ss, dd, ff}, if Cp is satisfiable, then Ck is a guarding context. 
Then, it is easy to check that 

e= (Di.Ci[q(v)],c|)^(Di.Ci[C[H] |ltell(v = r)],c,)^* (Di.Ck[H], c'p') 

is a split derivation in D; U Dq, such that m(Ck[H], Cp) = m(Ck[ask(true) -^ H], Cp) G 
{dd,ff} and then the thesis follows by the previous observation. 

Induction step. Assume that Wt(C|[q(v)], C|, Cp) = n > and that x has the form 

X = (Di_i.C|[q(v)],C|) ^ (Di_i.C|[C[ask(true) ^ H] || tell(v - r)],C|) ^* 
(Di_i.C^[ask(true) ^ H],c^) ^ (Do.U[H], c^) -^* (Dq.B", c'p'), 

since the other case is immediate. By the definition of Dj and since x is a split 
derivation, there exists a derivation 

io = (Di.C|[q(v)],C|) ^ (Di.C|[C[H] II tell(v = r)],ci) ^* (Di.C^[H],c^), 

which does not use rule R2. Moreover, by definition of split derivation 

Wt(Cm[H],Cm,c'p') < Wt(C|[q(v)],C|,c'p') 

and therefore, by inductive hypothesis there exists a split derivation in Dj U Dq, 

a- (Di.U[H],c^)^*(Do.B',c'p), 

such that 

m(B',c'p) = m(B",c'p') = t and ^-Var(C„[H],c^)'^'f = ^-Var{C^[U].c^)<^f- (74) 
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Without loss of generality, we can assume that Var{£_o)r\Var{^i) C yar(Cm[H],Cm). 
Therefore, by (74) and by definition of c'p and Cp, 

3-yar(C|[q(v)],C|)CF = 

3-yar(Ci[q(v)],C|)(Cm A 3_v'ar(Cm[H],Cn,)CF) = z^^-. 

3-Var(Ci[q(v)],c|)(Cm A ^-Var{C^[H],c^)<^F) = 

3-VQr(Ci[q(v)],c|)CF. 

Then by definition of weight, since Wt(Cm[H],Cm, Cp) < Wt(C|[q(v)],C|, Cp) and by 
(74) 

Wt(Cni[H],c^,c'p) < Wt(C|[q(v)],C|,c'p). (76) 

Moreover, by our hypothesis on the variables of ^o a-nd of ^i, there exists a derivation 
Di U Do, 

e - (Di.Ci[q(v)],C|) ^ (Di.Ci[C[H] II tell(v = r)],C|) ->* 
(Di.C^[H],c^)^* (Do. B', c'p). 

By (74), (76), since ^o do not use Rule R2 and ^i is a split derivation in Dj U Do, we 
have that ^ is a split derivation in Dj U Do, such that m(B',Cp) = m(B",Cp). Now, 
the thesis follows by (75). 

Case 6: An ask guard in d is distributed. Let 

-d: q(r)^C[H|| Ej=i ask(cj) ^ Bj] S Di_i 

-d': q(r)^CE;.,ask(cj)^(H||Bj)]eDi, 

where, for every constraint e' such that Var{e') D Var{d) C Var{q{r),C), if 
(Dj_i.H,e' A pc(C[ ])) is productive then there exists at least one j G [1,?^] such 
that V ^ {e' A pc(C[ ])) -^ Cj and for each j G [l,n], either 2? |= (e' A pc(C[ ])) -^ Cj 
otV\= (e' Apc(C[])) ^-Cj. 

By the definition of split derivation, x has the form 

X = (Di_i.C|[q(v)],c,) ^ (Di_i.C,[C[H II EjLiask(cj) ^ Bj] || tell(v = r)],C|) ^* 
(Di_i.UEjLiask(cj) ^ Bj],c^) ^ (Do.A^+i,c^) ^* (Do.B",c'p'). 

If the first m — 1 steps of % do not evaluate the agent H then the proof is analogous 
to that one of Case 6 of Lemma A. 5. Otherwise, let us assume that 

X = (Di_i.C|[q(v)],C|) ^ (Di_i.C|[C[H || EjLiask(cj) ^ Bj] || tell(v = r)],C|) ^* 
(Di_i.C^[H' II EjLiask(cj) ^ Bj],c^) ^ (Do.A^+i,c^) ^* (Do.B",c'p'). 

Since by the inductive hypothesis for any agent A, ©(Dq.A) = ©(Dj-i.A) there 
exists a derivation 

X' = (Di_i.C|[q(v)],C|) ^ (Di_i.C,[C[H II E;=iask(cj) ^ Bj] || tell(v = r)],C|) ^* 
(Di_i.Ck[H II E;=iask(cj) ^ Bj],Ck) --* (Di_i.B,CF), 

where 3-yar(C,[q(v)]x,)CF = 3_v'ar(C,[q(v)],c,)CF and m(B,CF) = m(B",c'p'). By (57), 

3-yar(Ci[q(v)],ci)CF = 3_ v'ar(Ci [q(v)]xi)CF and m(B,CF) = m(B,CF). (77) 

Without loss of generality we can assume that the first k steps of x' neither use 
rule R2 nor contain the evaluation of any (renamed) occurrence H of the agent H, 
where q(r') ^- C[H || ELi ask(cj) -^ Bj] is a renamed version of the declaration d 
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and C[H || J2']=i ask(cj) -^ Bj] has been introdueed by the evaluation of a procedure 
call of the form q(s). Moreover, we can assume that k is maximal, in the sense 
that either Ck is not satisfiable or the k + 1-th step can only either use rule R2 or 
evaluate a (renamed) occurrence of H introduced by a procedure call of the form 
q(s). If Ck is not satisfiable, then the proof is analogous to that one of the previous 
Case 4. 

Assume then that Ck is satisfiable. By Lemma A. 6 and (77), there exists a 
constraint d, such that Var{d) C yar(Ck[H || X)Li ask(cj) -^ Bj],Ck) and 

n 

Wt(Ck[H II ^ask(cj) ^ Bj],Ck,d) < wt(C,[q(v)],C|,CF), (78) 

J=i 
where 

3-yar(Ci[q(v)]xi)d = 3_ V'ar(Ci [q(v)] ,C|)Cf and t = m(B, Cp). (79) 

By definition of weight, by (78) and since Var(d) C yar(Ck[H || X^Li ask(cj) -^ 
Bj],Ck), there exists a derivation 

n 

(Do.Ck[H II ^ask(cj) ^ Bj],Ck) ^* (Do.B',d') 
such that 3 ,, ,. ,,, n v^n , , , „, ,d' = d and m(B',d') = t. Then, by the 

-Var(Ck[H \\ 2^.^^ ask(cj)^Bj]xk) \ ' / 'J 

definition of weight and by (78), 

n 

wt(Ck[H II ^ask(cj)^Bj],Ck,d')<wt(Ci[q(v)],ci,CF). (80) 

j=i 

Without loss of generality, we can assume that Var{d') n Var(C|[q(v)], C|) C 
Var(Ck,Ck). Therefore from (79) it follows that 

=l-v'ar(Ci[q(v)],ci)d' = 3_ yaj,(Ci [q(v)],ci)CF and m(B',d') = m(B,CF). (81) 

Let C'^l^jL^ ask(cj) -^ (H |[ Bj)] be the agent obtained from Ck[H || X^jLi ask(cj) -^ 
Bj] as follows: any (renamed) occurrence of the agent H || X^|Li ask(cj) -^ Bj in Ck[ ] 
which has been introduced by a procedure call of the form q(s) is replaced by a 
(suitably) renamed occurrence of the agent X^Li ask(cj) -^ (H || Bj). 

By the definition of Dj and since (Di_i.C|[q(v)],C|} -^* (Di_i.Ck[H |1 X^Li ask(cj) ^ 
Bj],Ck), there exists a derivation 

n 

6 = (Di.C,[q(v)],C|) -^* (Di.C'k[Eask(cj) ^ (H |1 Bj)],Ck) 

j=i 
which does not use rule R2. 

Now, by construction, C[,[^"^^ ask(cj) -^ (H || Bj)] has the form Ai || ... || A|, 
where Aj is either a choice agent or Stop. 

Moreover, since Dq is weight complete, (Do.Ck[H || X]jLiask(cj) -^ Bj],Ck) -^* 
(Dq.B', d') and analogously to the Case 6 of Lemma A. 5, there exists a split deriva- 
tion 

6 = (Do.C'kEjLiask(cj) ^ (H II Bj)],Ck) ^* (Do.B',c'p), 
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such that ^_y,,^cilY,l,^skic,)^(H II Bj)]x,)^f) = ^-Var{CllY,l,^sk{c,)^iH \\ B,)w/^ 

andm(B',c'F) = m(B',d'). 

Then, by using the same arguments as in Case 6 of Lemma A. 5, from the defini- 
tion of weight and (80) it foUows that 

n 

wt(CaE3sk(cj)^(H||Bj)],Ck,c'F) = 

n 

wt(CaEask(cj)^(H||Bj)],Ck,d') < 
j=i 

n 

wt(Ck[Hl| ^ask(cj)^Bj],Ck,d') < wt(Ci[q(v)],Ci,CF), 
j=i 

where t = rn(B', Cp). 

^From this point the proof proceeds exactly as in Case 4 by using Lemma A. 7 
and therefore it is omitted. 

Case 7: FinaUy assume that d is folded. 
Let 

- d : q(r) ^- C[H] be the folded declaration (g Di_i) 

- f : p(X) ^ H be the folding declaration (s Dq), 

- d' : q(r) ^- C[p(X)] be the result of the folding operation (£ D;), 

where, by definition of folding, Var(d) fl Var{X) C Var(H) and Var(H) n (Var(r) U 
Var{C)) C Var{X). Since C[ ] is a guarding context, the agent H in C[H] appears 
in the scope of an ask guard. By definition of split derivation x has the form 

(Di_i.C|[q(v)],C|) ^ (Di_i.C,[C[H] || tell(v = r)],C|) ^* (Di_i.C^[H],c^) ^ 
(Do.C^+i[H],c^)^*(Do.B",c'p'), 

where Cm[ ] is a guarding context. Without loss of generality we can assume that 
Var{x) n Var{yC) C Var(H). Then, from the definition of Dj it follows that there 
exists a derivation 

eo= (Di.C|[q(v)J,C|)^(Di.C|[C[p(X)] ||tell(v = r)],ci)^* 
(Di.Cm[p(X)],Cm) -^ (Do.Cm+i[p(X)],Cm), 

which performs exactly the first m steps as X. Since (Do.Cm+i[H], Cm) -^* (Do.B",Cp), 
the definition of weight implies that wt(Cm+i[H], Cm,Cp) is defined, where t = 
m(B",c'p'). Then, by (57), we have that 

t = m(B,CF). (82) 

The definitions of derivation and folding imply that yar(H) n Var(Cm+i,Cm) ^ 
yar(H) n ( Var{C, ?)) C Var(X) holds. Moreover, from the assumptions on the vari- 
ables, we obtain that Var(cp)n Var{X) C Var{H). Thus, from part 2 of Lemma A. 4 
it follows that there exists a constraint d' such that 

Wt(Cm+i[p(X)],Cm,d') < Wt(Cm+i[H],Cm,Cp) and 

3-V'ar(C„,+i[p(X)],c^)'^' = ^-VariC^+i[p(X)],c^fF- (^3) 
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/,From the definition of weight and the fact that wt(Cm+i[H], Cm, Cp) is defined it fol- 
lows that there exists a derivation ^i = (Do.Cm+i[p(X)], Cm) -^* (Do.B',c'p), where 
m(B',c'p) = t and ^^var(c^^,lp{x)],c^f'F = 3_yar(Wi[p(x)],c^)d'- Then, by the def- 
inition of weight, Wt(Cm+i[p(X)], Cm, c'p) = Wt(Cm+i[p(X)],Cm, d') and therefore, by 
(83), 

Wt(Cm+i[p(X)],c^,c'p) < wt(Cm+i[H],Cm,c'p') (84) 

holds. Moreover, from (82) we obtain 

m(B',c'p) = m(B,CF). (85) 

Without loss of generality, we can now assume that 

Vari^o) n Vari^i) = Var{C^+i[p{X)lcJ. 
Then, by (84) and (57) it follows that 

3-yar(C|[q(v)]xi)CF = ^- Var{Qlq{v)],c,){Cvn A ^- Var(C^+ilp(X)],c^f'f) = 
3-yar(C,[q(v)]x,)(Cm A ^^ VariC^+i[p{X)],c^fF) = ^-Var{Qlq{v)],c,)Cf = 
3-yar(C|[q(v)]xi)CF- (86) 

^From the definition of weight Wt(C|[q(v)], C|, c'p) = Wt(C|[q(v)],C|,Cp) and since x 
is a split derivation we obtain Wt(C|[q(v)],C|,Cp) > Wt(Cm+i[H], Cm,Cp). Then, from 
(84) and (86) it follows that 

Wt(C|[q(v)],C|,CF) > Wt(Cm+i[p(X)],Cm,CF) (87) 

and therefore, by construction, 

e = (Di.Ci[q(v)],ci)^(Di.Ci[C[p(X)] ||tell(v = r)],ci)^* (Di.Cm[p(X)],Cm) ^ 
(Do.Cm+i[p(X)],Cm)^*(Do.B',c'p) 

is a derivation in Dj U Dq such that: (a) rule R2 is not used in the first m — 1 steps; 
(b) rule R2 is used in the m-th step. The thesis then follows from (86), (85) and 
(87) thus concluding the proof. D 

A.l Proof of correctness for intermediate results and traces 

In this subsection we show how the previous proofs can be adapted when considering 
intermediate results and traces as observables. We first consider Theorem 5.1. Since 
its proof is essentially the same of that one already given for the total correctness 
theorem, here we provide only the intuition illustrating the (minor) modifications 
needed. 

Theorem 5.1 (Total Correctness 2). Let Do,...,Dn be a transformation 
sequenee, and A he an agent. 

— IJ there exists a derivation (Dq.A, c) -^* (Do.B,d) then there exists a derivation 

(Dn.A,c) -^* (Dn.B',d') such that V |= 3_Var(A,c)d' -^ 3_Var(A,c)d- 

— Conversely, ij there exists a derivation (Dn.A,c) — >* (Dn.B,d) then there exists a 
derivation (Dq.A, c) -^* (Do.B',d') with D \= 3_var(A,c)d' -^ 3_var(A.c)d. 
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Proof. The proof of this result is essentiaUy the same as that one of the total 
correctness Theorem 4.13 provided that in such a proof, as well as in the proofs of 
the related preliminary results, we perform the following changes: 

(1) Rather than considering terminating derivations, we consider any (possibly 
non-maximal) finite derivation. 

(2) Whenever in a proof we write that, given a derivation ^, a derivation ^' is 
constructed which performs the same steps of S,, possibly in a different order, 
we now write that a derivation ^" is constructed which performs the same steps 
as ^ (possibly in a different order) plus some other additional steps. Since the 
store grows monotonically in ccp derivations, clearly if a constraint c is the 
result of the derivation ^, then a constraint c" is the result of ^" such that 
T> \= c" ^ c holds. For example, for case 2 in the proof of Proposition 4.5 
(in the Appendix), when considering a (non- maximal) derivation S, which uses 
the declaration H ^- C[tell(s = t)] || B] we can always construct a derivation 
£_" which performs all the steps of ^ (possibly plus others) and such that the 
tell(s = t) agent is evaluated before B. Differently from the previous proof, now 
we are not ensured that the result of ^ is the same as that one of ^", since ^ is 
non-maximal (thus, ^ could also avoid the evaluation of tell(s = t)). However, 
we are ensured that the result of ^" is stronger (i.e. implies) that one of ^. 

D 

We now consider the correctness results given for the restricted transformation 
system with respect to the traces. Also in this case, the proofs follow the guidelines 
of that one already presented in Section 4 and in the previous part of this Appendix. 
We then sketch the proofs by showing which are the relevant new notions and 
differences with respect to the previous ones. 

In the remainder of this section we will always refer to the restricted transforma- 
tion system and to a given restricted transformation sequence Dq, . . . , Dp. 

We start with the following definition. 

Definition A. 10. Let D be a set of declarations and let £_ be the derivation 
(D.Ai,ci) ^* (D.A^,c^) ^* (D.A„,c„). 
We define tr(C) = 

3-\/ar(Ai,ci)(ci;C2; . . . ; Cp) = (Ci; (3_v'ar(Ai,ci)C2); • • • ; (3_v'ar(Ai,ci)Cn))- 

The function mode (m(A,d)) is extended to consider also non-terminated deriva- 
tions in the obvious way. We then extend the notion of weight, split derivation 
and weight complete programs to the case of traces. Here and in the follow- 
ing the subscript t will denote a generic termination mode, that is, we assume 
t e {ss, dd, pp,fF}. We also say that a trace starts with c in case c is the first 
constraint appearing in that trace. 

Definition A. 11 (Weight for traces). Given an agent A, a satisfiable con- 
straint c and a trace s starting with c, we define the weight of the agent A w.r.t. 
the trace s, notation Wt(A, s), as follows: 
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Wt(A,s) ~ min{n \ n — wh{S) and ^ is a derivation (Dq.A, c) -^* (Do.B,d) 
such that ^-var(k.c)^ ^ 'tr(^) and t = m(B, d)}. 

Definition A. 12 (Split derivation for traces). Let Dq, . . . , D; be a trans- 
formation sequence. We cah a derivation in Dj U Dq a split derivation for traces if 
it has the form 

(Di.Ai,ci} ->* (Di.A^,c^) ^ (Do.A^+i,c^+i) -.* (Do.An,Cn) 

where to g [1,«] and the following conditions hold: 

(a) the first to. — 1 derivation steps do not use rule R2; 

(b) the m-th derivation step (Di.Am,Cm) -^ (Do.Am+i,Cm+i} uses rule R2; 

(c) Wt(Ai,(ci;c2;...;Cn)) > Wt(Am+i, (cm+i; • . . ; Cn)), where t = m(An,Cp). 

Definition A. 13. We call the program Dj weight complete for traces iff, for any 
agent A and any satisfiable constraint c the following hold: If there exists a deriva- 
tion 

X=(Do.A,c)^*(Do.B,d) 
such that m(B, d) G {ss, dd, pp, ff} then there exists a split derivation in D; U Dq 

e=(Di.A,c)^*(Do.B',d') 
where tr(x) < tr(C) and m(B', d') = m(B, d). 

Proposition 4.9 holds also when considering as observables Ot rather than O and 
its proof is essentially the same, thus we omit it. 

The following Lemma is obtained from Lemma A.l by considering the weak- 
est produced constraint wpc rather than the produced constraint. The proof is 
analogous to that one given for Lemma A.l and hence it is omitted. 

Lemma A. 14. Assume that there exists a derivation (D.C[A],c) -^* (D.C'[A],c') 
where c is a satisfiable constraint and the context C [ ] has the form 

Aill ... ||C[]|| ... II A,. 

Then V ^ (wpc(C[ ]) A c') -^ wpc(C[ ]) holds and in case C[ ] is the empty context 
also V \= d ^> wpc(C[ ]) holds. 

In the following we extend to set of observables the (pre-order) relation < in the 
expected way: Given two sets of observables Ot{D\.k) and C't(Dj.A), we say that 
Ot(Di.A) < OtCDj.A) iff, for any (s,x) G Ot{D;A), (with x G {ss, dd, pp,ff}), there 
exists (s',x) G ©1(0]. A) such that s < s'. We denote by = the equivalence relation 
induced by d on sets of observables, that is, C't(Di.A) = C't(Dj.A) iff e't(Di.A) ^ 
C't(Dj.A) and C't(Dj.A) r< Ot(Di.A). 

The following is analogous of Proposition 4.5 for traces. 

Proposition A. 15 (Partial Correctness for traces). //, for each agent 
A, C't(Do.A) EE e't(Di.A) then, for each agent A, Ot{Di+i.A) ^ C't(Di.A). 

Proof. We have to show that, given an agent A and a satisfiable constraint C|, 
if there exists a derivation ^ = (Di+i.A,C|) -^* (Di-|_i.B,CF), then there exists also 
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a derivation ^' = (Di.A,C|) -^* (Di.B',c'p) such that tr(^) d tr(C') and m(B',c'p) = 
m(B,CF). 

The proof is analogous to that one given for Proposition 4.5, therefore we illus- 
trate only the modifications needed to adapt such a proof. 

Assume that the first step of derivation ^ uses rule R4 and let d' G Dj+i be the 
declaration used in the first step of £,. Assume also that d' ^ Dj and that d' is 
the result of the transformation operation applied to obtain Dj+i. As usual, we 
distinguish various cases according to the kind of operation performed. Here we 
consider only those cases whose proof is different from that one of Proposition 4.5, 
due to the fact that here we consider traces (consisting of intermediate results) 
rather than the final constraints. 

Case 2. In this case d : H ^ C[tell(s = t) || B] e D;, d' : H ^ C[Bcr] G Di+i, where 
(T is a relevant most general unifier of i and t (or a renaming, in case of s and t 
consist of distinct variables). From the definition of the operation we know that the 
variables in the domain of a do not occur neither in C[ ] nor in H and, differently 
from the case of Proposition 4.5, that Var(B) n Var(H, C) = 0. 
For any derivation which uses a declaration H ^C[tell(s = t) || B], if the agent 
tell(s — t) is evaluated before B then the proof is analogous to that one given for 
Case 2 of Proposition 4.5. Otherwise, if the agent tell(s = t) is not evaluated before 
B, then by using the condition Var(B) n Var(H, C) = we obtain that the evaluation 
of the agent B can add to the store only constraints on variables which do not occur 
neither in the global store (before the evaluation of B) nor in Var(A, C|). Therefore 
the contribution to the global store of the agent B (before the evaluation of the 
agent tell(s = t)) when restricted to Var{A, c\) is equivalent either to the constraint 
true or to the constraint false. 

In the first case the global store is the same as that one existing before the 
evaluation of B. In the second case we can obtain the constraint false by evaluating 
the same agents evaluated in B also in Bct. 

Case 3. In this case the proof is analogous to that one given for Case 3 of Propo- 
sition 4.5 by observing the following: If in the derivation x in D; either the agent 
tell(b) or the agent tell(t — s) are evaluated, then in the derivation x' the agent p(t) 
can be evaluated and then one performs exactly the same steps of %, except for the 
evaluation of a renamed version of the agents tell(b) and tell(t = s). 

Cases 4- For the ask simplification the proof of Case 4 of Proposition 4.5 is 
simplified by using Lemma A. 14 and by observing that, for any derivation, when 
the choice agent inside C[ ] is evaluated the current store certainly implies wpc(C[ ]). 
Therefore we do not need to construct the new derivation x' ■ The same holds for 
the tell simplification. 

Case 7. In this case the proof is analogous to that given for the previous Case 2, 
by observing that in the derivation 

13 = (Do.C|[C[H' II tell(X - X')] || tell(v = ?)], q) ^* (Dq.B^, cq), 

Var(H') n yar(C|, C, C|,X, V, r) = 0. Therefore we can construct a derivation 

Xo - (Do.C|[C[H II tell(X' = X)] || tell(v = ?)], c,) ^* (Do.B^',c^) 
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where tr(/3) ^ tr(xo) and m(BQ,CQ) — m(BQ,co). Moreover, we can drop the con- 
straint tell(X' = X), since the declarations used in the derivation are renamed apart 
and, by construction, Var(C|[C[H] |[ tell(r ~ v)],C|) n Var{X') = 0. We then obtain 
that there exists a derivation /?' = (Do.Ci[C[H] || tell(v = r)],C|) -^* (Do.Bo,co) 
which performs exactly the same steps of xo except for (possibly) the evalua- 
tion of tell(X' = X) and such that ^_y^^(^Q[c[H] || teii(v=r)].c,)^''(^o) - ^'^(P"> ^"^^ 
m(Bo,co) = m(BQ,CQ). Now, the proof is the same to that given for Case 7 of 
Proposition 4.5, since the evaluation of tell(X' — X) does not modify the current 
store with respect to the variables not in Var{X'). 

n 

The following Lemmata arc the counterpart of previous Lemma A. 3 and Lemma A. 4, 
when considering the observable Ot{D;.A). 

Lemma A. 16. Let q(r) ^ H G Dq and let C[ ] be context. For any satisfiable 
constraint c and for any trace s starting with c, such that Var{C[q(i)], c)n Var{f) = 
and Wt(C[q(t)], s) is defined, there exists a trace s' such that Wt(C[q(?) || tell(t = 

r)],s') < Wt(C[q(t)],s) and 3-Var{C[q{i)].c)5 ^ ^-Var{C[q{i)].c)^' ■ 

Proof. Immediate. D 

Lemma A. 17. Let q(r) <— H G Dp. For any context C\[ ], any satisfiable con- 
straint c and for any sequence s starting in c, the following holds: 

(1) If Var(H) n Var(Ci,c) C Var{r) and Wt(Ci[q(r)], s) is defined, then there exists 
a sequence s' , such that Var(s') C yar(Ci[H], c), Wt(Ci[H],s') < wt(Ci[q(r)], s) 

and 3_i/ar(Ci[q(r)],c)S d: 3- V'ar(Ci [q(r)],c)S'. 

(2) IfVar{H)nVar{Cuc)C Var{r), Vor(s)n yar(r) C Var(C|[H],c) anrf Wt(C|[H], s) 
is defined, then there exists a sequence s' , such i/ioi Wt(C|[q(?)],s') < Wt(C|[H],s) 

and 3_v'ar(C|[q(f)]x)S d: 3_v'ar(Ci[q(f)]x)S'- 

Proof. Immediate. D 

Analogously to the case of the previous results, the following Lemma is crucial 
in the proof of completeness for traces. 

Lemma A. 18. Let < i < n, c\ : q(r) ^ H be a declaration in Di and let 
cl' : q(r) ^ H' be the corresponding declaration in Di+i (in case i < n). For any 
context C\[], any satisfiable constraint c and for any sequence s starting in c the 
following holds: 

[l] If Var{V\) n Var{C\,c) C Var(r) and Wt(C|[q(r)], s) is defined, then there exists 
a sequence s' , such that Var(s') C yar(C|[H], c), Wt(C|[H],s') < Wt(C|[q(r)], s) 

and 3_yar(Ci[q(r)]x)S d 3_V'ar(Ci[q(r)],c)S'; 

{2) If Var{H,H')r\ Var{C\,c) C yar(r), yar(c') n Var(r) C Var(Ci[H],c) and 
Wt(Ci[H],s) is defined, then there exists a sequence s' , such that Var(s') C 

Var(C|[H'],c), Wt(C|[H'],s') < Wt(C|[H],s) and3_yar(C,[q{v)],c)5 d 3_yar(C,[q(f)],c)S'. 

Proof. The proof is analogous to that given for Lemma A. 5, by using Lemma A. 17 
and A. 16 instead of Lemma A. 4 and A. 3, respectively. We have only to observe the 
following facts: 
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For Case 3, Point (1) we can evaluate the agent tell(b) after the global store 
implies ^-^varii)^- I^i this way the new derivation has the same sequence of inter- 
mediate results. 

For Case 6, Point (2), by using Lemma A. 14, if there exists a derivation 

^= (Do.C|[C[H II EL ask(cj) ^ Bj]],c) ^* (Do.C^[H || EjLiask(cj) ^ Bj],d^) ^ 
(Do.U[H' II Ej=iask(cj) ^ Bj],d^+i> ^* (Do.B,d), 

then I? 1= dm -^ e{= wpc(C[ ])). If (Do.H,dm) is not productive then the proof is 
straightforward. Otherwise, assume that (Do.H,dm} is productive. By definition of 
distribution there exists at least one j G [1, n] such that P ^ dm ^- Cj and, for each 
j G [1, n], either 2? ^ dm ^ Cj or I? |= dm ^ ^Cj. Then, by definition, there exists a 
derivation ^i = (Do.CmlEjLi 3sk(cj) -^ (H || Bj)],dm) -^* (Do.B,d) which performs 
the same steps of xi in the same order, except for one step of evaluation of the 
agent ELi3sk(cj) -^ Bj which is performed before evaluating the agent H. Then 
the thesis follows by definition of the relation <. D 

Also the proof of the following Lemma is analogous to that of its previous coun- 
terpart (Lemma A. 6) and hence it is omitted. 

Lemma A. 19. Let < i < n, ci be a satisfiable constraint and assume that there 
exists a derivation S, : (Di.Ai,ci) -^* (Di.Am,Cm) -^* (Di.Ak,Ck), such that Cm is 
satisfiable. If 

. i) in the first to — 1 steps of ^ rule R2 is used only for evaluating agents of the 
form ask(c) -^ B, 

. a) Wt(Ai,tr(^)) is defined (fort = m(Ak,Ck) G {ss, dd, pp, fF}J. 

then there exists a sequence s' starting in Cm, such that Var{s') C Var(Am,Cm); 

3-yar(Ai,ci)(Cm;---;Ck) ^ 3_ v'ar(Ai,ci)S' anrfWt(Am,s') < Wt (Ai , tr(^)) . 

Finally we have the following. 

Theorem 5.12 (Strong Total Correctness). LetDo,. ■ . ,Dn be a restricted 
transformation sequence, and A be an agent. 

— //(s, x) G C't(Do.A) (with x G {ss, dd, pp,fF}J then there exists (s',x} G C't(Dp.A) 

such that s ^ s'. 
— Conversely, if (s,x) G C't(Dn.A) then there exists (s',x) G OtlDo-A) such that 

s^s'. 

Proof. The proof is analogous to that given for Theorem 4.13 and proceeds by 
showing simultaneously, by induction on i, that for i G [0,n] and for any agent A: 

(1) Ot(Do.A) = Ot(Di.A); 

(2) Dj is weight complete for the traces. 

The proof of the base case is analogous to that given for the base case of The- 
orem 4.13 and hence it is omitted. For the induction step we have that, by in- 
duction hypothesis, for any agent A, ©4(00. A) = C't(Di-i-A) and Di_i is weight 
complete for the traces. Proposition 4.9 holds also when considering Ot rather 
than O. From Proposition A. 15 and (the counterpart for traces of) Proposition 4.9 
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then it follows that if Dj is weight complete for traces then, for any agent A, 
C't(Do-A) = Ot{D\.A). So, in order to prove parts 1 and 2, we have only to show 
that, for any derivation /? = (Do.A,C|} -^* (Do.B,cf} such that C| is a satisfiable 
constraint and m(B,CF) G {ss, dd, pp,ff}, there exists a split derivation in D; U Do, 
^ == (Di.A, ci) -^* (Do.B', c'p), such that tr(/3) ^ tr(^) and m(B', c'p) = m(B, cf). 

^From the inductive hypothesis it follows that there exists a split derivation 

X-(Di_i.A,ci)^*(Do.B",c'F') 

where tr(/3) ^ tr(x) and m(B", c'p') ^ m(B, cf). Now, let d e Di_i\Di be the modified 
clause in the transformation step from Di_i to D;. The rest of the proof is essentially 
analogous to that given for Theorem 4.13. The only points which require some case 
are the following: 

Case 2. In this case, the proof is analogous to that given for Case 2 of Proposi- 
tion A. 15. 

Case 3. In this case the proof is analogous to that given for Case 3 of Propo- 
sition A. 15, provided we observe the following fact for case 2a) in such a proof: 
Given any set of declarations, if there exists a derivation %' for the configuration 
(C'[tell(b) II B II tell(t = s')],c') where c' is satisfiable and Var(C'[tell(b) || B || tell(t = 
s')],c') n yar(b,s) = 0, then there exists a derivation for (C'[tell(b) || B || tell(t = 
s') II tell(b) II tell(t = s)],c') which performs the same steps of x' plus (possibly) two 
steps corresponding to the evaluation of tell(t = s) and tell(b), after the evaluation 
oftell(b) and tell (t = s'). 

Case 4- Analogously to the proof of Case 4 of Proposition A. 15, it is sufficient to 
observe the following. From Lemma A. 14 it follows that, for any derivation, when 
the choice agent inside a context C[ ] is evaluated the current store implies wpc(C[ ]). 
Then, by definition of ask simplification, the constraint Cj and c- arc equivalent with 
respect to the current store (and therefore we do not need to construct the new 
derivation x')- The same reasoning applies to the case of tell simplification. 

Case 6. The proof is analogous to that of Case 6 of Lemma A. 18. 

D 
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